The Right to be Forgotten is defined as “the right to silence on past events in life that are no longer occurring.” The right to be forgotten leads to allowing individuals to have information, videos, or photographs about themselves deleted from certain internet records so that they cannot be found by search engines.
As so many different compliance regulations roll out across the world, it’s important to understand the requirements from an organizational perspective as well as differences between regulations that may slightly shift those requirements. While there are many regulations that present the Right to be Forgotten option in some capacity, for the purposes of this blog we are going to focus on the European Union General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
First, let’s do some definitions.
GDPR is a far-reaching compliance regulation laid out by the European Union that went live in May of 2018. While there are multiple facets to the GDPR, the major areas of interest are:
The CCPA is a relatively new compliance regulations being implemented by California that aligns relatively closely to the GDPR. It’s trailblazing regulation since this is the first state in the US that is introducing a privacy regulation in a country that has no far-reaching federal regulation. This makes sense however, as California has a GDP larger than most countries. Some of the major impacts of the CCPA includes:
While there are many overlaps between these regulations, one glaring requirement is around the ability to request that an organization delete all data associated with a person. The GDPR refers to this as the Right to Erasure, an advancement of a pre-GDPR phrase called Right to be Forgotten. The CCPA is less formal about naming conventions, but it is generally referred to as the Right to Delete.
While the GDPR doesn’t necessarily give any timelines, the CCPA states that this request is only relevant from the previous twelve months. Regardless, this request means that all collected personal information (barring exceptions) be removed from the organization in a timely manner, and this confirmation be provided to the data subject/consumer. It’s encouraged to read other blog posts from Stealthbits for clarification on what constitutes personal information per regulations.
The biggest challenge with remaining compliant is generally around locating the information in an environment to ensure that the consumer right is being implemented appropriately. While there’s a few ways this can be done, I want to open with the biggest requirement: finding all content repositories in an environment.
In a perfect world, content is stored in controlled storage locations that are well classified and use a well-structured taxonomy. These locales are purpose-driven, and no personal information sits outside of these repositories. In the real world, that’s frequently not the case. As the need for content collaboration increases, many organizations find themselves victims of Shadow IT. This results in multiple different content collaboration platforms being raised up within a network or being utilized in the cloud. New platforms without oversight and governance lead to inappropriate information – even personal information – being stored in an unacceptable location leading to a risk of compliance breach. Locating and understanding all of these platforms, including the unknown, is the first challenge with any regulation.
Once the data has been located, it’s important to be able to identify where the personal information is that is relevant; locating the information that relates to specific consumers and data subjects becomes important. There are multiple ways that this data can be tracked down, but for our purposes we’ll talk about the two most common.
Full-Text indexing is the process by which a system reviews all unstructured or structured data within a specific scope, indexes this content to a location (a flat file, a database, a similar cache, etc.), and searches through this information when looking for specific phrases. These processes come out of box in a lot of systems including SharePoint, Windows Servers, multiple cloud providers, etc. Full-Text indexing can have a few pros and cons to going through this process.
Pattern Matching and Recognition is the process of looking for certain words and phrases within data and identifying if words match specific words, or if patterns match specific patterns; regular expressions (RegEx) are a great way to analyze this. Going this way also has its pros and cons.
Regardless of the direction people go in, having a constructive method to identify information for targeted deletion requests is important. Knowing where these terms are is also useful for when data subjects and consumers request exports of their data!
Stealthbits includes a variety of different solutions to help users with their compliance methods including the following major benefits:
Overall these compliance regulations mean that organizations need to identify personal information within a data context and plan for destruction, provisioning, or securing that content for end-users in a manner that is as automated and touch-free as possible.
For a free trial or a demo of Stealthbits, please contact us, today!
As a VP of Product Strategy at STEALTHbits, Ryan is responsible for the vision and strategy of their Data Access Governance solutions. Ryan has a tenure of thirteen years in the technology space across multiple different areas. Prior to joining STEALTHbits he most recently served as the Director of Product Management at Metalogix Software helping to lead them to acquisition by Quest software. He has also previously held positions in R&D, Presales Engineering, and Technical Support.
Proper data security begins with a strong foundation. Find out what you're standing on with a free deep-dive into the security of your Structured and Unstructured Data, Active Directory, and Windows infrastructure.Read more
Start a Free Stealthbits Trial!
No risk. No obligation.