How good data governance enables compliance with the GDPR right of erasure

by Kate Tickner on 21st June 2018

One of the new provisions of GDPR is the right of erasure, also known as the right to be forgotten. Individuals can now request that you delete their personal data from your systems. You have one month to respond to this request. Someone wants their data deleted so you delete it. Simple, right? Actually, not so simple.

In research conducted by Symantec 81% of businesses believed that customers would start exercising this right, and 90% said that complying with such requests would be a challenge for their organisation. 60% of businesses did not have a process in place for managing these requests. According to GDPR Preparation and Challenges Survey Report from Cloud Security Alliance (CSA), published earlier this year, 53% of respondents cited complying with regulations regarding the right to erasure as their biggest GDPR challenge.

The reality is that deleting customer data is a massive headache for many organisations. The reason why can be summed up in three words: poor data governance. The right to be forgotten throws up some tricky issues of data management, of the kind that we regularly encounter in client engagements.

Do you have an accurate picture of all the places where you’re holding personal data?

In most organisations individuals’ personal data will be scattered across many different systems and held in multiple locations. Indeed, a common problem for organisations who have not yet crossed the data delta is that they simply don’t know where all the instances of an individual’s data might be within their organisation’s systems. How can you delete an individual’s data from your systems if you don’t know which systems that data might be in?

Without knowing how you’re currently handling personal data it will be impossible to enable the enforcement of requests for deletion (or indeed subject access requests, another right strengthened by the GDPR). Thus, it’s critical that you have accurately mapped your business processes and know where personal data is stored in your systems. However, the right of erasure isn’t absolute, which brings up a second challenge…

Can you accurately distinguish between the different types of data that you hold and identify the reasons for holding each piece of data?

There are circumstances in which it isn’t appropriate to delete customer data so you need to be able to distinguish between different types of data and understand the reasons why you’re holding each type.  In summary, the GDPR allows for exceptions to the right of erasure when you need to keep the data for one of the following purposes: –

 

A typical customer for a bank might have several different accounts – a current account, a savings account, a loan account – and all the data associated with those accounts. The organisation will also hold marketing data on each individual as well as online behavioural data, perhaps including records of calls to the contact centre, uses of the bank’s app, survey research data, third party credit checks, salary details and records of visits to the branch in person. Banks will also often hold some derived data such as customer churn model scores, next best offers or fraud detection scoring.

Some of this data can clearly be deleted without delay – marketing data and online behaviour data, for example – whilst other data needs to be retained for a certain period or perhaps cannot ever be deleted in order to comply with accounting, anti money laundering, taxation and other banking laws.

Have you got an effective strategy for handling data that’s held in backups?

The right of erasure places an obligation on the data controller to erase the data without delay, taking into account the available technology and the cost of implementation. With that in mind you need to consider the extent to which it is practical to erase an individual’s data from your backup systems.

It may not be possible (or practical) to isolate one particular individual’s data within an archive, but you still need to have systems in place to ensure that either the individual’s data cannot then be restored back into the organisation’s production system, or that if this does happen then the original request is honoured and the data erased once more. You’ll also need a policy which determines how long backups will be kept for. A key principle of GDPR is that data shouldn’t be kept for longer than necessary so retention rules should be in place which govern how long backup and archive data is kept before being automatically deleted.

Another core GDPR principle is security by design and default. Backups need to be protected by strong encryption so that there’s no possibility that criminals could access the data contained within them even in the event that they are compromised. You’ll also need to keep audit logs that record all activity on backups and archives. This best practice goes towards being able to prove that you have acted in good faith, in the event that a breach occurs or a complaint is made.

Complying with the right of erasure requires an effective master data management strategy

As should be clear by now, the right to be forgotten is, at heart, a master data management challenge. An effective master data management strategy enables you to join up all the information you hold that relates to the same thing – in this case an individual customer – from across your organisation. It gives you a single view of customers’ interactions and transactions even when their details are scattered across multiple silos. Effective MDM also means that for every piece of data you hold, you have a record of the source from which it was collected and the purpose for which you’re holding it. To do this properly requires a complete end-to-end view of all the organisation’s data processing systems, which in turn requires an effective master data management strategy.

At Entity we’ve helped many clients implement effective master data management strategies – why not talk to us about how we can help you to do the same?