May 2, 2017

Right to be forgotten – what's all the fuss about?

Markus Melin

Head of Tieto Security Services, Tieto

The upcoming EU Data Protection Regulation, GDPR, includes the end customer's right to be forgotten.

Basically it strengthens your clients’ right to have their information removed from your systems and databases when they no longer wants it to be used, stored or processed. It is a clear manifestation of a citizens’ power over their digital footprint.

Somebody might ask what is all the fuss about deleting personal information from data systems. What makes it so hard to execute such requests?

Here are four aspects that help share some light to the scope of the reform.

1. Multitude of data systems and networks

Today, companies and organisations have a huge amount of data systems. For example, we at Tieto have about 200 different data systems – or business applications if you will – being used daily to keep the company running.

How do these data systems interact and handle personal information? It can be something like this: personal data comes to the network from system A. It is automatically transmitted to systems B, C and D. Also, the information is manually copied to systems E and F. System C rearranges the information and automatically copies that to systems G and H.

In case a full Identity and Access Management (IAM) system is not implemented throughout the organisation, this can be extremely tricky. Not to mention deleting that information. Or letting the customer know what data does the company have on her/him.

2. Rogue platforms and devices

Welcome to the BYOD culture of 2017.

It is not that uncommon that the personnel take advantage of easy-to-use end user applications if the official tools and applications are found difficult or clumsy to use.

Such rogue platforms might be in use without supervisor's knowledge or without the risk management team's knowledge for sure. If that happens, you don't have a full picture on where personal data is handled.

As GDPR also includes the responsibility to document all internal processes that are part of managing any personal data, every organisation needs to do a thorough analysis of its IT infrastructure after understanding the processes.

3. Backups and log files

Also backup processes and log files can cause difficulties. It is possible that already deleted personal information pops up again from a backup. And in case of interpretation of removal of personal data, it should be taken out from backups and log files. This is – if not totally impossible – hugely expensive for the companies.

So backup and logging processes need to be analysed, personal data stores identified and protected accordingly.

4. Legislative obligations

It's important to note that even though your clients’ rights over their digital information are enforced big time, it doesn't mean they have full mandate over their personal accounts.

There are several requirements for storing personal data that derive from the law. These legal obligations will remain and might demand that at least part of personal data must be kept intact. For example, the bookkeeping law requires you to store transactional data for certain period in-between credit card purchases to make sure you are not forgotten until the transaction is closed, goods are delivered and so on. And one can try and see what happens when asking e.g. state tax authority to “forget” them.

In short, this is the context which every organisation doing business with EU citizens have to adapt to. For sure, it will require a lot of work from many organisations but remember that the cloud has a silver lining: GDPR is a big opportunity to improve your customer experience.

Want to hear more on how the GDPR can help you build trust with your customers? Please join me and Timo Ahomäki in a webinar in Finnish on the 11th of May. Swedish and Norwegian webinars will be held on the 23rd and 24th of May.

Stay up-to-date

Get all the latest blogs sent you now!