Page 42 - GS161002
P. 42
Education
GDPR's right to be Businesses held by the obligations of a data controller must
forgotten impacts fully acknowledge and address the implications of the
all business Right to be Forgotten. But where should a business begin?
Admittedly, the GDPR has provided some specification
for personal data removal. For instance, businesses are
expected to establish a functional system for verifying the
identity of the data subject making the removal request, as
well as a system for accepting, processing or responding to
removal requests within one month.
Personal data should be located, tracked
A business will need to recognize every type of personal
data it possesses and exactly where that data is located
in order to process the request; hence, a controller must
meticulously track its personal data so it can later be
removed upon request. There may be several locations for
which businesses must keep track of their data, especially
when companies have several branches or third-party
vendors.
By Lorie Schrameck and Celine Rodriguez The locations of personal data may be dependent on the
CSR Professional Services Inc. type of personal data. Obvious data would be a name,
address, email address, payment information and data
I n an attempt to push European data protection into of birth, but other data could include website or mobile
the future of digital data handling, the European device user information (IP address, page views, mobile
Union approved the General Data Protection device ID, geolocation, etc.), marital status, email or
Regulation (GDPR) which includes Article 17, the other correspondence, answers to surveys, or customer
Right to Erasure or more commonly known as the Right complaints. Also, you may have a record of services provided
to be Forgotten. Under this article, if there is no legitimate over a number of years, a transaction history, preference
reason for a data controller to continue to process an indi- information, social network data or data obtained during
vidual's personal data, the individual can request to have security monitoring.
his or her personal data removed by the data controller.
Some data retention policies are obsolete
Upon the debut of the Right to be Forgotten, legal experts
focused on the compliance of search engines and their roles Data permanency, which has plagued businesses since the
as data controllers, which might have led business owners establishment of digital processing, may now contribute to
to believe that this "Right to be Forgotten" applies only issues in locating personal data. Previously, ensuring your
to entities with a large and overarching digital or online business could save every kilobyte of data was considered a
presence. However, this could not be further from the truth. good thing. If pertinent information was deleted, there were
The Article 17 requirement applies to all EU personal data backups and even backups for those backups. Nevertheless,
held by the data controller. unrestricted data retention will now be problematic not
only for addressing erasure requests, but also for data
U.S. businesses must take note retention restrictions.
For businesses in the United States that will fall under the The GDPR demands that businesses notify their third-party
GDPR's jurisdiction in May 2018, this may be a complete vendors about any data removal requests. After vendors
game changer. All U.S. companies that conduct business have been notified, the businesses must then ensure that
within the European Union, regardless of any physical these vendors comply with these requests. Thus, a system
presence, should determine now if they will be held to for data tracking and removal should be sufficiently
GDPR requirements. Preparation to meet these new laws guaranteed in vendor contracts.
may be substantial and with noncompliance fines of up
to 4 percent of global annual turnover, it is an important Complying with Article 17 is a complex process
consideration.
Tracking is not an easy task, especially online. Is the average
small business owner aware of all the first- and third-party
cookies his or her website utilizes? Has said business owner
addressed restrictions for onward transfer of personal
data by vendors? The GDPR also has a provision for data
42
