A great deal has been written about the GDPR and CCPA privacy laws, both of which includes a “right to be forgotten.” The right to be forgotten is an idea that was put into practice in the European Union (EU) in May 2018 with the General Data Privacy Regulation (GDPR).
The main trigger for this radical step came from the business practices of major internet companies such as Google and Facebook (among others) around how they collect and use personal data they collect and subsequently sell to other companies for marketing and sales purposes. Additionally, as “fake news” spread, those affected found it was almost impossible to get the internet companies (including news publishers) to fix or remove the false data. Because of this, the GDPR and CCPA were established to ensure end-user rights to know what data is being collected on them, how it’s being used, and if it’s being sold and to whom. The right to be forgotten includes the right to have PI fixed or removed, quickly.
There continues to be a debate about the practicality of establishing a right to be forgotten (which amounts to an international human right) due in part to the breadth of the regulations and the potential costs to implement. Additionally, there continues to be concern about its impact on the right to freedom of expression. However, most experts don’t foresee these new privacy rights disappearing, ever.
WHAT DOES THE RIGHT TO BE FORGOTTEN REALLY MEAN?
Simply put, it means that companies collecting and holding personal information (PI) on EU for the GDPR and California citizens for the CCPA, must find, report on, and delete (when asked) all PI that can be used to identify the citizen – if deleting the PI is not prohibited by regulatory or legal responsibilities and no longer needs the data for the purpose that it was originally collected. This includes personal information in email systems, in marketing and sales CRM systems, on SharePoint servers, on employee desktops/laptops, corporate social media accounts…anywhere. But does the right to be forgotten include enterprise backups?
ARE BACKUPS SUBJECT TO THE RIGHT TO BE FORGOTTEN?
When end-users request their data be deleted, they (and the law) expects that all copies of their data will be disposed of, no matter where it resides, including any third party data processors, and all backups. However, finding and removing specific PI on backup tapes is time-consuming and costly. Imagine finding and deleting all instances of specific PI on fifty backup tapes.
As you might expect, companies have already raised objections about including backups in the right to be forgotten. The issue is the GDPR and CCPA do not address backups as a data repository that are subject to PI deletion. Experts opinion is all over the place. Eventually, the GDPR and CCPA authorities will have to address this question directly, but in the meantime, companies can consider two potential strategies;
- Ignore the issue until the agencies issue guidance while notifying customers that their right may not apply to backups. However, in doing so, the company will need to find a way to remove those who wish to be forgotten in the event of a data
- Or, instead of backing up data that contains PI, archive it so that it can be easily managed, searched, and deleted when needed.
IGNORING THE ISSUE IS NEVER THE MOST EFFECTIVE STRATEGY
This “head in the hole” strategy carries with it higher risk in that the GDPR authority could rule that “of course, backups are included – what don’t you understand about “all copies?” forcing your organization to scramble to comply. Regulatory agencies are usually not in the habit of “going easy” when enforcing regulations because companies might find them burdensome.
Additionally, you should obtain a legal opinion from your outside counsel stating that backups are not subject to GDPR – as an insurance policy, just in case. Many in the industry believe the best practice is to assume a worst case scenario and begin culling PI from your backup processes.
ARCHIVE PI INSTEAD
Backups are great for operating systems and the like. Data files are much better stored in an archive where they can be secured, indexed, searched, managed, and deleted when needed. In many cases, cloud-based archives include the additional feature of offering replication so that your data is “backed up” while still providing easy search and data deletion for GDPR and CCPA.
The EU and state of California have not provided additional guidance on the question of the right to be forgotten and backups. GDPR experts continue to expect that eventually, the GDPR will specifically include backups as a repository subject to the right to be forgotten. With that in mind, it makes sense for organizations to substitute backing up PI for archiving instead. Besides the obvious GDPR search and deletion benefits, archiving enables powerful analytics capabilities not available with data backups.
To read the full blog, click here