Page 44 - GS161002
P. 44
Education
portability; in other words, an individual can ask a company to remove and competitive data or other data as long
transfer any of his or her personal data from the company's database to the it does not permit for re-identification.
individual's possession or directly to another controller. Of course, achieving
data portability for all files and guaranteeing safe data transit can potentially Alternatively, what if the Right to
be a massive undertaking. be Forgotten were actually worth
In aggregate, all of these requirements are unfamiliar territory for most U.S. the trouble? Consider this, Article
businesses. Creating and implementing the processes and procedures necessary 17 is a call for a much needed spring
for compliance may require an outside privacy consultant or appointment of an cleaning. Flushing out those one-time
in-house data protection officer (which may be mandatory); yet, most businesses purchasers or customers who may
are undoubtedly reluctant to take this leap. In their defense, the tremendous not desire to do further business with
amount of time, money and effort necessary, as well as other issues, make this a company might be beneficial in
hesitancy understandable. avoiding a large-scale breach, saving
House cleaning has advantages in digital data room or physical record
The Right to be Forgotten has the potential to greatly decrease a company's storage, and creating marketing
customer database and historical data, which could be detrimental to that materials true to your current target.
business's ability to adequately market to a larger consumer base or analyze Sufficiently identifying and tracking
consumer trends. This alone could be a sticking point, but that's not all: there personal data will also help to
may be data collected by a business that gives it an edge over its competition – identify areas lacking in security or
are they now supposed to transfer that data to a competitor? that you really don't need.
Businesses can examine alternative methods, however, for continued
preservation of at least part of the data. Pseudonymization would remove It's time to examinepersonal
the identifying elements, allowing for continued trend analysis, storage of data practices
44 There are circumstances in which a
business should not provide or re-
move personal data. Perhaps the in-
formation of more than one individ-
ual is combined, or it might contain
certain health, social work, adoption
or other similar data. In such cases,
businesses should be prepared to
document and explain their reason-
ing for not providing or removing
personal data, and be able to address
a response to the individual.
The Right to Erasure/Right to be
Forgotten is part and parcel of fu-
ture business, and the time for busi-
nesses to examine their personal
data practices is now. Businesses
should identify their need set and
consider contracting with certified
privacy professionals to assist with
this monumental requirement. For
additional information on the GDPR,
see "GDPR: Why it affects businesses
even outside of the EU," by Lori Schr-
ameck, The Green Sheet, Sept. 26, 2016,
issue 16:09:02.
Lorie Schrameck, CIPP/US, is Manager of
Operations and Celine Rodriguez is Operations
Associate at CSR Professional Services, Inc., the
home of Readiness Pro Edition and SIPO. Lorie
can be reached at lschrameck@csrps.com. For
more information applicable to your merchant
customers' business, contact CSR at 866-294-
6971 or online at www.csrps.com.
