Right to be Forgotten (RTBF) derives from a famous court case against Google in which a Spanish person requested to get his PII removed from Google search. EU decided to formally encode Right To Be Forgotten in the General Data Protection Regulation (GDPR). On the first day of compliance in Spain in 2014, Google received 12000 requests to remove PII from search results.
Right to be Forgotten is the most onerous requests to comply with within GDPR & CCPA because it requires bringing together three key elements:
Data Awareness - Know where is all the PII data as it pertains to this individual
Data Analysis - Make decisions on which data you are obligated to remove and which data should be retained despite a RTBF request.
Data Administration - The physical removal of identified data from your systems and auditing your actions.
In this blog we lay out the rights of consumers under RTBF, the obligations of the enterprise, where enterprises are not obligated to delete data, and steps enterprises go through to execute RTBF.
Conditions that trigger RTBF
Under GDPR’s clause for RTBF, an enterprise needs to delete PII in the following scenarios:
User has requested to get the data removed, and their request is legit
When data is not required for processing anymore
When the user has withdrawn consent to process data
What are the rights of the consumers?
Consumers have the right to ask enterprises to delete their data provided their request meets criteria. And under GDPR and CCPA, a customer has a right to get a response within 30 days, or under certain conditions 90 days, for a right to be forgotten request. Within this period, the Enterprise needs to delete user data from their systems, and also contact 3rd party recipients to remove the said data. If an enterprise does not delete data, it has to inform the user with a reason explaining why it is not deleting the data.
What are the obligations of enterprise? Enterprises have many obligations under the RTBF under both GDPR and CCPA. They are supposed to:
Identify all PII data for that individual they are obligated to delete
Delete PII from their systems
Contact 3rd party recipients of the data to get the data deleted.
Delete PII from live storage as well as backup systems.
Respond and notify the consumer if a data deletion request is not legitimate.
Enterprises can refuse a request or ask for a fee if they feel a request for erasure is not reasonable or requires a considerable effort.
Exceptions to RTBF requests
Though RTBF imposes many obligations on an enterprise, there are several conditions under which an enterprise is exempted from taking action on a RTBF request. Regardless, an enterprise must inform the user as to why action was not taken on some requests. Here are some of the most common exceptions:
To exercise the right of freedom of expression and information
To comply with a legal obligation
For the performance of a task carried out in the public interest or in the exercise of official authority
For archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing
For the establishment, exercise or defense of legal claims.
What an enterprise must do to fulfill a RTBF request?
Carrying out the obligatory steps under RTBF is somewhat complicated even within a medium sized enterprise. Enterprise data is a continuously evolving, expanding, with data residing in applications, environments, documents, emails, chat rooms, in-house storage, and in the cloud. Given this situation, the first and most critical step is having Data Awareness - i.e. to identify PII, classify and contextualize the PII data. Ideally, this should be done before a subject submits a request for erasure. Here are the key steps an enterprise must do to fulfill an RTBF request.
An enterprise needs to know what type of PII they have on the user (SSN, name, email etc.)
Know which systems contain this type of data and add those systems in your PII search space
Identify where the user’s PII is across these systems or data sources.
Truly understand data movement within and outside the organization; i.e. has this PII been copied or shared with other systems within and outside the organization.
Broaden the search path to scanned documents, voice recordings from IVR, data from customer support systems, chatbots, etc.
What is the context of the PII they are currently seeing and whether RTBF applies to it or not? Note: There are certain types of PII that enterprises are not obligated to erase such as PII required to comply with a legal or financial obligation.
Based on the above, identify the PII are they legally required to erase. I.e. apply any exception conditions that might apply under RTBF.
Using the above information and knowledge of data movement across enterprise systems, identify all systems that contain PII that the enterprise is obligated to erase.
Identify who can access and process this data within the enterprise and outside
The physical removal of data from enterprise and third party systems
A mechanism in place for auditing to show regulators that these deletion requests were processed in a timely manner.
Enterprises have many responsibilities under Right to be Forgotten because RTBF goes much further than other GDPR and CCPA mandates such as Right to Know, Right to Opt-Out and Right to Portability. A systematic approach involving Data Awareness, Data Analysis and Data Administration will make implementation of RTBF requests easier and less expensive to fulfill.