By Matt Kelly …
Now that the European Union’s General Data Protection Regulation is nearly here, it’s time for ethics and compliance officers to panic more efficiently about all the challenges that lie ahead.
One good place to start: how to fulfill the GDPR’s right to be forgotten.
Conceptually, that right is easy to understand — which is what makes it such a formidable compliance challenge. EU citizens will assume they can first exercise their right of access under the GDPR, to see all the personally identifiable information (PII) your company has collected about them.
Then they should be able to hit the delete key and the PII vanishes, right? How hard can that be?
Of course, in reality the right to be forgotten is a jenga puzzle of policy management headaches, IT capabilities, exception clauses, and customer service demands. Configure any one of those concerns the wrong way, and the whole contraption can come crashing down.
The Customer May not Always Be Right
Organizations have two fundamental challenges with the right to be forgotten. First, you need to provide some way for consumers to request that their data be destroyed.
That process should be designed for simplicity, because the GDPR also stipulates that EU citizens can submit their requests verbally. Yes, you’ll also need a policy, procedure and training so employees know how to field those verbal requests, but let’s not kid ourselves — the main goal should be to design some self-service vehicle for consumers, so they can view their PII and delete it themselves.
THAT, HOWEVER, BRINGS US TO THE SECOND FUNDAMENTAL CHALLENGE. YOUR ORGANIZATION WILL ALSO NEED TO KNOW WHEN IT CAN’T DELETE CONSUMER DATA, REGARDLESS OF WHAT THE CONSUMER MIGHT WANT.
The GDPR has numerous exceptions to the right to be forgotten. For example, you cannot delete data that might be necessary to fulfill regulatory compliance obligations. You can also deny a request if the data is necessary to establish or defend legal claims.
Now, litigation holds and regulatory record-keeping obligations are nothing new to compliance officers. But balancing litigation holds on one side and consumers wanting to delete their PII immediately on the other — that is new.
At a practical level, that tension means this: the easiest IT solution to alleviate your right-to-be-forgotten workload increases the importance of getting your e-discovery and litigation hold processes right.
Yes, your organization can take some time to confirm that a consumer’s data can be forgotten, but the GDPR also specifies that a request must be answered “without undue delay.” Consumers tend to interpret that phrase as “right now.”
That’s going to require delicate work developing new policies and procedures for identifying data that can be deleted, long before a consumer actually asks for deletion.
Read full article here …
