The General Data Protection Regulation (GDPR) addresses data protection (privacy by design) as a legal obligation for data controllers and processors. It states an explicit reference to pseudonymisation, anonymization and data minimization of all personal data, by default.
Does it mean we need to revise old code? Should an extra layer of code be implemented to manipulate or redact sensitive data, or will simply adding some sort of pop-up like the cookie-notice do the trick?
There is a bit more to it, I’m afraid. The whole idea behind the GDPR is to take responsibility and ownership of sensitive data. A customer can, at any given time, ask questions about the information you, as a business, have stored about him. The customer can also request to have his data changed or completely removed. And the organization has to be able to prove it have carried out the request.
Probably one of the most talked about aspects of the GDPR is the ‘right to erasure’, also known as the ‘right to be forgotten’. Article 17 of the GDPR states:
Data subjects have the right to obtain erasure from the data controller, without undue delay, if one of the following applies:
- The controller doesn’t need the data anymore.
- The subject withdraws consent for the processing which he previously agreed to.
- The subject uses his right to object to the data processing.
- The controller or its processor is processing the data unlawfully.
- There is a legal requirement for the data to be erased.
- The data subject was a child at the time of collection.
If a controller makes the data public, then he is obligated to take reasonable steps to get other processors to erase the data. When a website publishes an untrue story about an individual, for example, and later on is ordered to erase it, it also must request other websites to erase their copy of the story. At the same time, there are some exceptions to Article 17, for example when the data is part of scientific or historical research archives, when there is a legal ground to keep the data (for example in the financial sector) or when the data supports legal claims.
To protect their data, businesses manage data backups. That may lead to tricky situations. Imagine a customer requests to have his data removed completely and the company complies with that request. But later on, the company restores the data backup following a hiccup in its IT operations – and the personal data reappears… Then what?
First of all, the organization needs to understand where all the personal data resides. Following that, an assessment must be made of what can be, should be, can’t be and is infeasible to be erased. This is where the exceptions may apply, such as the legal requirements for data retention. Following the customer’s request, the controller should remove the personal data of the live online systems. The personal data should be kept in an offline archive, thus protecting it in a locked down state, meeting the retention requirements, as well as the desire of the subject to be forgotten.