So here it is, finally as a data subject I have the right to not only deactivate my account but also ask for my data to be deleted/removed from their systems.
What is really happening?
No one will be deleting any data for various reasons but mostly for the purpose of data integrity, statistics and superseding regulations. Say what? Let’s say, I’m purchasing a service online. The payment part is considered financial data which here in Malta for VAT purposes will need to be kept for 6 to 9 years, which law would supersedes GDPR. Same happens with records of employment, health etc….
Does the mean that the right to be forgotten is bogus? No not really. Suppliers tend to store more personal data than what is strictly required for. This data would need to be deleted or obfuscated. Obfus… what?? Basically the data would need to be overwritten with garbage data. This is useful when companies would need to keep a subset of data due to superseding legislation, for statistics or due to audits and the data that is unnecessary and can be removed lies within the same record of the data that they do not need to keep. Deleting the record would mean loosing data integrity which can cause a lot of systems to malfunction, especially if there are dependencies, whilst replacing the unnecessary data with garbage would not and satisfies both the regulation and the data subject.
That was a lot of technical speak so let’s have a small example to simplify this. Your Personal data is stored in a database and a database is made up of different tables. Tables are made up of records. To use an analogy imagine an excel spreadsheet – that is your database, the different sheets are the tables and the rows are the records. Not at times one of the columns in one sheet is linked to a column in another sheet. That is called a dependency. Deleting either one of the dependent columns will cause. The exact same logic applies for databases.
Imagine the below scenario, where Jane Doe requests the right to be forgotten. For the purpose of financial compliance and audits I can neither delete the transactions, name and Surname. As a data processor and controller I would be well within my rights under GDPR to keep that data as I have grounds for that. The Gender however is another story.
Deleting the whole Jane Doe record from Table 1, is a no go as otherwise I wouldn’t be able to prove who made the transactions in Table 2 during an audit. However I can replace that with garbage.
As a data subject, one should keep in mind that when requesting your right to be forgotten, and a company claims that they actioned it, it might not be as clear cut as one might think.
As a company, data controller or data processor, one would need to think very carefully about what data is really required and what dependencies exist which could negatively affect the service or the system.
In my last post, I also mentioned that as a company, data controller or data processor, it would also be wise to carry out the obfuscation exercise as part of the user deactivation procedure. The law basically states that as a data controller you should not keep any more personal data than is strictly necessary for the fulfilment of the service. Given that a user would have deactivated their account, as a controller keeping the ‘gender’ in the above example could still technically be considered a breach.
Pro Tip
Anything claiming to use blockchain – ah well now there is a controversy! Let’s discuss this in another post shall we. Safe to say that if you want to abide by GDPR do not opt for block chain as a technology for anything that requires storing of personal data and as a user do not make use of or subscribe to services that do use this technology if you intend to claim your right to be forgotten.
Question
I’m writing this blog and I know that most of you would assume I have all the answers but I’m just a business systems analyst who’s good at translating legal into technical and functional requirements, so like you I also have some questions. Here is my first one.
Assuming a data subject asks for their right to be forgotten. As a business I obfuscate, delete and anonymize what I can from my production systems. However what happens with any backups or archives, which have been partitioned, compressed, encrypted and stored in low cost storage as data pumps? Do I need to re-open those and carry out the same procedures there?
If someone does have an answer, please leave it in the comments.
If you want to be notified when new posts come out, drop us a note via the contact us section of the website and we’ll add you to our mailing list.
4 responses to “GDPR & ePrivacy titbits series: Right to be forgotten”
To answer your question. GDPR expects you do what is reasonably possible. It is NOT possible to recall every backup tape, read it, delete a record and then rewrite it back to tape. However, you could maintain a ‘suppression’ list, i.e. if I restore a backup, this list must be ‘deleted’ before I can use the data. That seems to be the common thinking on backups.
Of course, make sure they are encrypted. 😉
Jonathan Small
Senior Risk Consultant
WHY Consultants
Thank you Jon for your reply. I’m sure this will be useful information for a number of readers. Thanks once again.
Very gooɗ information. Lucky me I found your webѕitе by acciԀent (stumbleupon).
I’ve ѕaved it for later!
Thank you. Glad you found it useful.