However you feel about Google and other companies that use your data, the fact is, in the U.S. you don't own your data. Surprised by this?
Well, truthfully, your data is owned by a data collector, like Google or Facebook. On the other hand, in Europe, data that is about you belongs to you and not the company that collected it according to the privacy legislation law called General Data Protection Regulation, or GDPR. This regulation has been ratified
Unfortunately, the business community in the U.S. feels a tremendous amount of uncertainty about the GDPR. The two main reasons for this are the stiff penalties for violating GDPR and the fact that the rules are still being written, leaving businesses facing the unknown when it comes to data ownership of an individual's EU based data.
However, there is also one relatively new law called "Right to be Forgotten" that states that data is owned by individuals and not the data collector. Recently, this law has been solidified as a human right, according to the European Court of Justice. Therefore, an individual who wants to be forgotten can simply use this law to force companies, like Google, to comply.
isall of Ms. Smith's data? How is her data being used?
- After locating the data, if that is possible, how easy is it to delete it?
- Upon deletion, is it really all gone?
- What about transactional history? What happens to that data?
- How does Company Z prove they have forgotten Ms. Smith?
Where is Ms. Smith's data and How is it being Used?
To start with, the first question should lead you to the data technology, known as a Master Data Management (MDM) system, that tracks information. If your MDM system is fairly modern, chances are it will be easy to find and delete historical data related to Ms. Smith. However, new systems, like SQL databases, operate like a “Time Machine,
Can My Company Delete all of Ms. Smith’s Data?
We've been talking about locating and deleting Ms. Smith's data, but the Right to be Forgotten law is not clear on whether you need to delete the data or simply mask it. No matter what route your company chooses for compliance, the question remains, "What about the transaction data?". This part of the data should not be deleted or masked because a company must keep accurate revenue records for accounting and tax purposes. Without this transaction data, a company could be accused of fraud. Instead, by marking transactional data with indicia, a modern MDM system can recognize this and only delete Ms. Smith's data that doesn't have to do with transactions. This way, your company remains in compliance with the Right to be Forgotten law while protecting itself from accusations of fraud, whether they are founded or not.
How to Prove that Ms. Smith has been Forgotten
If Ms. Smith asks for proof that her data has been forgotten, there is a simple solution to this. After the data has been deleted or masked, a one-way hash is used to encrypt that data. To do this, simply input Ms. Smith's name into the one-way hash, and if a match is found, your company can be assured that her data information has been forgotten and that you remain in compliance with the Right to be Forgotten legislation.
What companies need to take into consideration is that the government will strictly enforce the Right to be Forgotten legislature. As a U.S. based company with EU data, it is paramount that you separate the EU data and put in place proper protocols to make sure you don't receive any fines. For this reason, consider implementing some of the new MDM technology on the market today. This approach to data discovery and data deletion is a modern approach that is important to have for managing GDPR regulations and staying in compliance with legislation for the Right to be Forgotten.
Become Educated and Staffed
Sensitive data and how it is handled is now on the mind of most Americans and EU nationals, along with companies, more than ever before. As technology increases to store vast amounts of data on just one individual, there is always the possibility of a breach. While it is important for companies and other organizations to protect this data from would-be data thieves, it is also of extreme importance to comply with EU laws about how this data is stored, used, and deleted, if there is a request from an individual who uses the Right to be Forgotten Law. The best way to protect your company is to adopt the measures necessary to comply with these requests in a timely manner and prove that the request has indeed been carried through. If you're not familiar with the GDPR regulations or the Right to Be Forgotten law, now is the time to fully understand what these laws are about and how to comply with them in order to avoid hefty fines.
If you're ready to take on a team that helps with compliance issues like this and other updated laws, contact ICS. We have plenty of skilled candidates ready to take on any problem that comes your way. Click below to start your search for talent!