CIO Data

Three ways GDPR will continue to present a major risk to enterprises and humanity


Plenty of articles have already been written about the challenges facing enterprises with regards to the recent General Data Protection Regulation (GDPR). Even so, there are three key aspects that enterprises have not considered, let alone addressed. Before digging into these three aspects it is important to first set some context around GDPR.


In summary, the GDPR rules are intended to govern how data is protected and gives people more control over their personal data. The GDPR regulations cover a number of aspects and can be read in their entirety by visiting the official EU GDPR Website:

So, what is the issue? Much of the conversation has addressed the new regulations as if they are easily implementable. That may be easy to consider for data collection moving forward, but what about looking backwards? Enterprises have a wealth of existing information contained among the complexity of their systems and processes. Unfortunately, this complexity is precisely what creates the basis for issues around GDPR.

One of the more prominent components of GDPR is the ‘right to be forgotten.’ This means that a person can officially request that their personal data be forgotten. On the surface, the right to be forgotten might seem fairly straightforward. Unfortunately, the truth is far from it. In addition, there are three significant aspects that few have yet to consider. Let’s break down each of the issues and how they might be addressed.


Today, many databases use a key to organize and manage data. Most times, it is based on a person’s name or some other identifiable information. If a person requests deletion of their personal data, this presents a problem for those wishing to keep the non-identifiable information. One potentially problematic scenario would be where the person requests to be forgotten. Yet, the company needs to maintain the transaction data that ties to sales, inventory and a myriad of other factors. Depending on how the data is architected, it could require a major restructuring of many data repositories…and the applications that use them.

There are modern approaches where customers are assigned a generic customer number. However, one has to be careful that the data kept is still not able to identify the person.


In the same vein as data repositories is the location of customer data. Do you know where your customer data resides? Most companies may know some of the main locations for customer data, but not every location where customer data may reside. This presents a logistical problem when a customer requests to be forgotten. Even if their data is eliminated from the main systems, what happens to those spreadsheets, documents and other locations that contain customer data?


This is probably one of the biggest and most complicated issues for enterprises for a number of reasons. Companies backup their data to secondary storage and possibly tapes for offsite storage. There are also archives which are different from backups. In each of these backups and archives sits personal data.

If a person wishes to be forgotten, how does a company ensure that all of their data from those backups and archives is removed. And if there is an architectural change needed in the application, how is the archived and backed up data updated? The reality is that GDPR presents a significant challenge to backups and archives that is not easily solved.


Some may argue that elimination of data from primary systems is enough to meet the GDPR standards and the request of the individual. However, if you think about it from the individual’s standpoint, when they request to be forgotten, are they making a broad request? Or are they asking just for the primary systems? My guess is that they are not distinguishing between which systems their data may reside within the company.

Ultimately, these guidelines are new and yet to be tested in court. Once there is case law in place, that will start to provide guidance to enterprises on what is considered in and out. In the meantime, it would be wise to consider how to provide the appropriate level of governance across data regardless of where it resides rather than wait for the lawsuit to come.


Beyond enterprise use of data, the right to be forgotten brings up questions about the deletion of personal data in other contexts. How far will this go? It is one thing to consider data about someone in a corporate context. But what about other types of data? What about genealogy data that shows a person’s lineage? Or what about data the church keeps on people? Do birth, death, marriage, and other public records count? Eventually, one comes into the realm of ethical considerations of data. What can and can’t versus what should and shouldn’t? There are a lot of questions about how far this could go and potentially the risks that ‘forgetting data’ brings. It seems we are still a long way away from deciding what to do here.

Tim Crawford is ranked as one of the Top 100 Most Influential Chief Information Technology Officers (#4), Top 100 Most Social CIOs (#7), Top 20 People Most Retweeted by IT Leaders (#5) and Top 100 Cloud Experts and Influencers. Tim is a strategic CIO & advisor that works with large global enterprise organizations across a number of industries including financial services, healthcare, major airlines and high-tech. Tim’s work differentiates and catapults organizations in transformative ways through the use of technology as a strategic lever. Tim takes a provocative, but pragmatic approach to the intersection of business and technology. Tim is an internationally renowned CIO thought leader including Digital Transformation, Cloud Computing, Data Analytics and Internet of Things (IoT). Tim has served as CIO and other senior IT roles with global organizations such as Konica Minolta/ All Covered, Stanford University, Knight-Ridder, Philips Electronics and National Semiconductor. Tim is also the host of the CIO In The Know (CIOitk) podcast. CIOitk is a weekly podcast that interviews CIOs on the top issues facing CIOs today. Tim holds an MBA in International Business with Honors from Golden Gate University Ageno School of Business and a Bachelor of Science degree in Computer Information Systems from Golden Gate University.

0 comments on “Three ways GDPR will continue to present a major risk to enterprises and humanity

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.