Plenty of articles have already been written about the challenges facing enterprises with regards to the recent General Data Protection Regulation (GDPR). Even so, there are three key aspects that enterprises have not considered, let alone addressed. Before digging into these three aspects it is important to first set some context around GDPR.
In summary, the GDPR rules are intended to govern how data is protected and gives people more control over their personal data. The GDPR regulations cover a number of aspects and can be read in their entirety by visiting the official EU GDPR Website:
So, what is the issue? Much of the conversation has addressed the new regulations as if they are easily implementable. That may be easy to consider for data collection moving forward, but what about looking backwards? Enterprises have a wealth of existing information contained among the complexity of their systems and processes. Unfortunately, this complexity is precisely what creates the basis for issues around GDPR.
One of the more prominent components of GDPR is the ‘right to be forgotten.’ This means that a person can officially request that their personal data be forgotten. On the surface, the right to be forgotten might seem fairly straightforward. Unfortunately, the truth is far from it. In addition, there are three significant aspects that few have yet to consider. Let’s break down each of the issues and how they might be addressed.
Today, many databases use a key to organize and manage data. Most times, it is based on a person’s name or some other identifiable information. If a person requests deletion of their personal data, this presents a problem for those wishing to keep the non-identifiable information. One potentially problematic scenario would be where the person requests to be forgotten. Yet, the company needs to maintain the transaction data that ties to sales, inventory and a myriad of other factors. Depending on how the data is architected, it could require a major restructuring of many data repositories…and the applications that use them.
There are modern approaches where customers are assigned a generic customer number. However, one has to be careful that the data kept is still not able to identify the person.
LOCATION OF CUSTOMER DATA
In the same vein as data repositories is the location of customer data. Do you know where your customer data resides? Most companies may know some of the main locations for customer data, but not every location where customer data may reside. This presents a logistical problem when a customer requests to be forgotten. Even if their data is eliminated from the main systems, what happens to those spreadsheets, documents and other locations that contain customer data?
THE LONG TAIL OF BACKUPS AND ARCHIVES
This is probably one of the biggest and most complicated issues for enterprises for a number of reasons. Companies backup their data to secondary storage and possibly tapes for offsite storage. There are also archives which are different from backups. In each of these backups and archives sits personal data.
If a person wishes to be forgotten, how does a company ensure that all of their data from those backups and archives is removed. And if there is an architectural change needed in the application, how is the archived and backed up data updated? The reality is that GDPR presents a significant challenge to backups and archives that is not easily solved.
GONE IS GONE
Some may argue that elimination of data from primary systems is enough to meet the GDPR standards and the request of the individual. However, if you think about it from the individual’s standpoint, when they request to be forgotten, are they making a broad request? Or are they asking just for the primary systems? My guess is that they are not distinguishing between which systems their data may reside within the company.
Ultimately, these guidelines are new and yet to be tested in court. Once there is case law in place, that will start to provide guidance to enterprises on what is considered in and out. In the meantime, it would be wise to consider how to provide the appropriate level of governance across data regardless of where it resides rather than wait for the lawsuit to come.
LOOKING BEYOND CORPORATE DATA
Beyond enterprise use of data, the right to be forgotten brings up questions about the deletion of personal data in other contexts. How far will this go? It is one thing to consider data about someone in a corporate context. But what about other types of data? What about genealogy data that shows a person’s lineage? Or what about data the church keeps on people? Do birth, death, marriage, and other public records count? Eventually, one comes into the realm of ethical considerations of data. What can and can’t versus what should and shouldn’t? There are a lot of questions about how far this could go and potentially the risks that ‘forgetting data’ brings. It seems we are still a long way away from deciding what to do here.