3 Ways to Manage GDPR Erasure Requests

In May of 2018, the European Union’s General Data Protection Regulation (GDPR) went into full force and remains the most comprehensive and influential data privacy regulation globally.  Although it has been several years since the GDPR was enacted, businesses large and small, still struggle with compliance with Article 17 of the GDPR, which is the “Right to Be Forgotten.” The Right to be Forgotten, or the Right to Erasure, is an individuals’ Right to request specific data about themselves be erased or deleted by organizations.  The IAPP-EY Annual Governance Report in 2019 stated that businesses find complying with Erasure Requests the most difficult of all the GDPR requirements to manage.  This article will explore critical ways that companies can conquer issues with the Right to be Forgotten by knowing what types of personal data you may have, developing a process to identify personal data, and finding the best ways to delete personal data.

1. Know what personal data you have about data subjects and what data can be “forgotten” under the GDPR

The GDPR is a massive piece of legislation. Still, companies can narrow their focus on analyzing the data they most likely collect and store about individuals that may need to be “forgotten” at some point. Besides understanding the data that a company keeps on individuals, it is vital to ensure that the data collected aligns with its stated legal basis for use and transparency for individuals about these uses. The first step is to know what types of information you collect about individuals.

Once a company has a “big picture” of the data they retain about individuals, it is critical to determine what data, if requested, can or cannot be deleted according to Article 17 of the GDPR. For example, the GDPR has exceptions to the Right to be Forgotten, like the Right to Freedom of Expression, data used to comply with EU legal obligations or claims, public health matters, and data archived for the public interest, scientific or historical research, or statistical purposes. Knowing what can or cannot be forgotten may be a good starting point for determining the scope of data you may need to forget.

Aparavi gives you a high level overview of the amount of personally identifiable information (PII) or sensitive data your company collects that is subject to the GDPR or other European data privacy laws, and where that information is located across your entire organization, from one easy-to-use dashboard.

2. Develop a process to locate personal data

Once companies have developed a high-level idea about the types of data they may have to forget, it is critical to find actionable ways to locate and manage the data, however, this is easier said than done. A recent study says that 56% of organizations named “locating unstructured personal data” as the most challenging issue in responding to data access requests (including access, deletion, and rectification requests). Finding the best ways to locate this data often takes planning and technology to do the heavy lifting. Starting with a process to target areas that likely have the most personally identifiable information that individuals may request is a great start. As companies conquer these data locations, they can use their process to explore other areas containing information that may need to be forgotten.

The Aparavi Platform also functions as a search engine for all of your enterprise’s unstructured data, enabling you to quickly search for a particular piece of PII, with customizable confidence levels, and promptly respond to an Erasure Request or other data access request. In addition, you can build complex queries easily, no coding or IT background needed.

3. Develop a process to “forget” data

How do you “forget” the data once you locate it? Once the company has a data access request and can confirm they have data eligible for deletion, companies can manage how and when this deletion occurs. Data deletion is also a considerable challenge depending on how much of an individual’s data must be erased and how to create ways to automate some of the deletion processes using technology. Companies should also look toward developing a strategy to delete data on a schedule to avoid the business disruption of doing data deletion on an ad hoc basis. It is important to still keep a log of the requests for deletion and the action taken, whether you complied or you have an alternate basis for keeping the data, as in step 1 above, so you can demonstrate GDPR compliance.

The Aparavi Platform allows you to take action on your data, whether to delete or archive the information to a more secure location. In addition, Aparavi automates your data governance policies to enable you to take bulk action on your data, in accordance with your company’s deletion schedule.

Although the Right to be Forgotten is a concept in the GDPR, we continue to see other countries implementing these deletion rights into data privacy legislation, including the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). Companies that develop processes and procedures around the Right to be Forgotten will be better positioned to respond to these requests as they continue become part of future data privacy laws.