GDPR Todd Goldman April 25, 2017

Complying with GDPR’s Right to Be Forgotten Rule:  Ignorance is no excuse!

May 25, 2018.  That’s when the new requirements set forth by the European Union’s General Data Protection Regulation will go into effect.


Organizations are now scrambling to bring their data management policies and processes up to snuff. Some, like global carmaker Honda and European airliner Flybe, are even getting fined for transgressions made in trying to prepare!


It just goes to show you how complex achieving a state of GDPR readiness can be.


The main problem is most organizations don’t even have a baseline infrastructure to properly support data governance initiatives like GDPR. So they react to the legislature by locking large swaths of data down, putting it in quarantine and limiting access. But by treating all data as sensitive, business analysts are required to submit formal requests in order to access data to understaffed groups, which can take weeks if not months to grant access. So, the value of data is stymied for the sake of compliance.


Except they fall short of that, too—particularly around the GDPR’s “right to be forgotten” (or right to erasure) rule, which requires organizations to jettison personal data on a number of grounds, including when it’s no longer necessary “in relation to the purposes for which they were collected or otherwise processed.” So, if an organization decides to simply lock down the data it has on European citizens, it is almost guaranteed the company will have taken itself out of compliance. And it will be penalized.


To support GDPR in a way that doesn’t get in the way of the organization’s use of data or its compliance, businesses must identify all personal data elements and their location across all data stores. Because, how can you “forget” someone if you don’t know where their data is located in the first place? This is the question many businesses are now asking themselves. Since most companies have been keeping track of their most critical systems but lack a comprehensive catalog of all their data, including development, test, production, data warehouse, and backup systems, they only know about 10 to 20 percent of their total data estate. This lack of knowledge around data lineage can also get in the way of the organization’s ability to mask sensitive data (another GDPR requirement) and properly track all processing activities (yet another requirement), including categories of recipients of personal data, transfers of personal data to a third country or an international organization, and those who process data on behalf of the organization.


The only way an organization can ensure compliance with GDPR is to establish how they will identify, tag, and catalog personal data and its lineage. Visibility is a must. A strong data governance program is a must. And given the magnitude of variety and volume of data that is sure to exist, a level of automation is also required. Otherwise, the entire project will become bogged down by manual tagging and review processes that simply won’t be able to keep up.


Want to learn more? Check out our white paper for more on identifying and conquering the issues around GDPR.