Data Security
Managing GDPR – Article 17 “Right to Erasure”
Imagine for a second, you’re sitting at your work desk in late May 2018. Suddenly, you receive an email notification as a new email is delivered to your inbox. This email contains a request, invoking Article 17 of the recent newly enacted EU GDPR legislation, “The Right to Erasure”. Or in plain English, the right to be forgotten. What does this mean for your business? Well, it means that the person sending the email is requesting that you erase every instance of their personal information you have stored within your organisation, right down to the last digit.
Do you have to comply with this request? The answer is a resounding YES. In addition, this request must be completed without delay and at zero cost to the requestor. This element of the GDPR legislation requires companies to erase all personally identifiable information (PII)that is stored in files, databases, any workstations they may have used (if the requester was a former employee), cloud storage, copied or archived files. Everything! There’s more. As an organisation, you have to be able to prove that you have deleted all such files and if you have ever shared their details with a third party, it’s your responsibility to contact them to instruct them of the erasure request.
The next question that arises from Article 17 is, “Who is responsible for the Right to Erasure requests?” Does this automatically fit into the remit of the IT department? Our experience with customers dealing with the day-to-day process of preparing for GDPR is that it’s more of an organisation-wide approach. GDPR will put a greater burden on organisations to be able to handle these requests, from a process and people management aspect, right through to the IT departments capability to handle and comply with the request.
There is a wider cost indication for a business that is looking to comply with GDPR and be able to state they have taken the necessary steps to do so. Article 17 restricts the use of people’s data to be used only for its original purpose on time of collection. If you as an organisation want to use it for something else then you’re going to have to get the user’s clear consent and approval to do so.
You need to comply with GDPR
The EU GDPR has a global remit. There is no credence to where exactly the data is stored or where in the world your company is located. If the “data subject” is residing in the EU and they request the right for their information to be erased, then the rules apply to you. Every instance of that data subject’s data has to be erased “without undue delay”. The majority of businesses right now do not have the capability to find all these instances across their entire environment. As we have mentioned previously, there are hefty fines for non-compliance and what that could mean for your business.
With the hefty fines in place and a hard deadline of the 25 th of May for the GDRP coming into law, IT departments and boards are quickly adopting a strategy to comply before the GDPR deadline is reached.
Prepare for GDPR now!
Businesses are very prudent in determining risk and limiting the risk to their business is paramount. However, how many organisations at this moment in time, would be able to act on a right to erasure request effectively? Could you effectively scan your entire environment and find every instance of a person’s sensitive data? If that information is sitting in a database or on a workstation could you find it? And in what timeframe?
Personal information is stored in marketing and sales departments in CRM systems which have their own databases attached to them, in multiple files formats. Personal information also finds its way into word documents, spreadsheets and other files. Can you imagine for a moment, trying to manually trawl through every file, looking for a marker that represents a particular person? It could take weeks that you haven’t got! Having the ability to scan all of these files formats and deliver the discovered results will give your business the edge when it comes to compliance with GDPR and save the job of the head of IT.
Companies are choosing to hold onto data forever, instead of deleting it. Choosing to store the data may seem like a great idea, but with Article 17 coming into force you will now need the ability to scan very specific sections of that data and delete information on request. You need to be ready, as there is no room for error.
Your next steps for compliance
Ground Labs’ flagship product, Enterprise Recon, allows you to scan your entire environment for sensitive data. With over 200 PII data types already preconfigured out of the box and a custom search facility built into the tool, your ability to handle organisation- wide requests, such as the “Right to Erasure”, becomes a lot easier. From the dashboard, you will have the ability to see precisely across your environment where your sensitive data is being stored, forensically down to which file its stored in. The option to remediate it or show the user where that sensitive data lies can then be achieved. Of the multiple remediation functions, the tool has, the delete function or “nuke it” function is the most powerful in this case. You can clearly show the user that all stored instances of their data across the network has now been permanently deleted and cannot be retrieved. Once “nuked”, its gone for good!
Need help understanding where your unstructured and structured data is and worried how you will handle a “right to erasure request”? Then contact one of our trained GDPR experts who can help you with a free risk assessment. To book a demo please visit www.groundlabs.com/risk-assessment