GDPR: Is The Right To Be Forgotten Just A Horror Story About Zombie Data?

By Nigel Tozer

As someone who’s personally been on a lengthy General Data Protection Regulation (GDPR) journey, as both part of the GDPR team working on our own compliance and as a public speaker on GDPR, one topic seems to generate more fear than others: it’s the Right to Be Forgotten. Or as it’s become known, RTBF. Halloween seems like a great time to dig deeper into this topic.

The premise with the GDPR is this: individuals have the right to have personal data about them removed from business systems if they no longer want their data processed by that entity. At face value then, hardly something that goes bump in the night. 

The ghostly chill begins when determining just how far the process of forgetting has to go, because the regulations themselves don’t fully stipulate:

  • What about where a law exists that mandates records are kept?
  • Should it include archives and backups?
  • What about where there is no law to override GDPR, but the business deems it reasonable to retain something to protect itself?

Laws and regulations that stipulate records must be kept can, in certain cases, override GDPR. So under those circumstances, financial, health and safety records, for example, should not be destroyed. Backups are a potential ‘the-car-won’t-start-as-the-evil-monster-closes-in’ moment, which I’ll come back to. Information that your business wants to keep to protect itself may be retained depending on the situation, but even then should be removed from the reach of any further processing. And if you do this you should keep records to justify your reasoning. Of course, your reasoning may be subject to challenge, so what is clear is that there is no easy answer.

So is forgetting someone a horror story after all, or not? In my conversations with businesses looking to become compliant with GDPR, they actually find it super scary, with one of the main challenges being unstructured data. Unstructured data can account for up 80 percent of the data held by a company, and is notorious for copies finding their way into every nook and cranny, including mobile devices and third-party clouds. For big business, hundreds (or thousands) of applications – many of which share data via middleware or custom coding – also start to look equally scary. Definitely no treats hidden here.

Add into the mix that these demands have to be processed within a time limit and things start to travel very much into nightmare territory. Not only do you have to find this Personal Data on request, but you then have to determine which laws apply before you can delete anything for GDPR reasons, so you can’t just delete everything ‘to be on the safe side.’

Let’s return to the topic of backup, which, let’s face it, normally brings waves of joy when you’re able to bring your data back from the dead. In the world of RTBF and GDPR, this ‘recovery’ could turn into more of a Zombie horror story, with previously forgotten personal data returning to haunt you. Imagine the scenario: you forget someone, then you have an outage, and you recover your systems/data, only to put back the forgotten (now zombie) data about the data subject, leading to complaints and potentially a regulator audit. And let’s not forget about the question of whether you should have deleted the information from the backup in the first place.

So how do you combat all of this? One silver bullet, of course, is effective search technology that can look across your entire data landscape. This allows you to find what you need quickly and process it as required, using automation where possible. In addition to full content indexing, Commvault also allows you to delete data from backups, or build-in business processes to ‘re-delete’ data if you prefer. More important, if you can find the data quickly enough and retain backups for a shorter time, you’ll have an advantage in achieving and maintaining compliance. Great news for your ‘stakeholders.’

The data management choices that you make for GDPR can also have a significant upside, so to balance out this RTBF scary story, look out for my next blog on the business benefits of GDPR readiness; or learn more about Commvault GDPR solutions.