How Data Discovery Aids Compliance With Data Deletion Requests

Global privacy laws such as GDPR and CCPA afford individuals with the right to delete or modify data that businesses hold about them.

Nov 3, 2020

Global privacy laws such as the EU’s General Data Protection Regulation(GDPR) and California’s Consumer Privacy Act(CCPA) afford individuals with the right to delete or modify data that businesses hold about them. But to satisfy the data subject’s request for the erasure or correction of their data, your business must have a complete picture of what data you hold on each consumer, where it resides, and who it is shared with. In this post, we will address:

  1. What the right to delete is
  2. The challenges associated with fulfilling deletion requests
  3. How data discovery technology can play an essential role in this process
  4. A look at some of the software tools available for data discovery

I. RIGHT TO DATA DELETION UNDER EU DATA PRIVACY AND CALIFORNIA LAW

What is the rationale for the right to delete?

An embarrassing news story from teenage years, a decade-old financial record hindering future business opportunities, or just outdated personal information such as a previous address can all be the subject of a data deletion request.

The idea is that people should not be stigmatized forever for past actions, allegations or disputes. “The Internet is forever,” as the saying goes. And nearly every day, something that someone thought had been put behind them comes roaring back from the online archives. The right to be forgotten is supposed to ameliorate that. As Friedrich Nietzsche once said, “Without forgetting it is quite impossible to live at all.”

But also, we may just not want to hear from a particular company again, or want them to save our purchase history forever.

This right is recognized, in different ways, in both the EU General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA).

How is the right to delete addressed in the EU Data Privacy Law (GDPR)?

Individuals can request the permanent deletion of their data under article 17 of the GDPR. However, this “right is not absolute and only applies in certain circumstances.” One circumstance where the right to deletion is overridden is if the data processing is necessary for the exercising of freedom of expression.

Under the GDPR, a data subject can ask for deletion based on six different grounds including ‘withdrawal of consent’, ‘objection to direct marketing’, and ‘unnecessary collection of data’.

When it comes to data, what the term ‘deletion’ entails is even more important because data is reproducible infinitely and it is usually copied to multiple systems, stored on a variety of back-ups, and transferred to third parties such as web-hosting and cloud providers.

Depending on the context of the ‘deletion,’ the data controller’s obligations and technical capabilities to fulfill deletion requests can change dramatically.

GDPR adopts a broad approach to what deletion of data entails. To comply with GDPR, data controllers must purge personal data from the back-up systems and archives; deletion from the live systems is not sufficient for compliance.

CCPA’s position on the right to deletion

CCPA 1798.105 gives individuals the right to deletion personal data. Just as with GDPR, there are exceptions, such as “complying with a legal obligation,” where a refusal to delete data is justified.

Compared with GDPR, CCPA imposes less stringent obligations on businesses because a business does not have to erase data from the back-up systems or archives so long as it does not disclose this data or share it with others.

The CCPA has another provision which eases the obligations of businesses in terms of the amount of data they must erase: Consumers can only ask for the deletion of personal data that they provide themselves. The deletion right does not extend to data collected from third parties such as data brokers or data collected via behavioral tracking.

Overall, CCPA imposes lighter obligations on businesses than does GDPR because it limits the types of data that are subject to deletion requests and also excludes archived data from the right to deletion.

Laws are in force--but do people request deletions?

Since these laws have come into force, there has been a notable increase in the number of data subject requests.

If you look at the requests made under CCPA, 31% of all requests were for the deletion of personal data.

A similar trend occurred with GDPR as well. Facebook, for instance, reported experiencing a fourfold increase in the number of queries it received after the EU Data Privacy Law took effect.

II. PRESS THE ‘DELETE BUTTON’ AND ALL IS WELL? IT’S NOT THAT SIMPLE

Why data deletion is challenging

Your data is usually not in a single central repository in an easily searchable format but it is scattered through different databases, repositories, systems, applications, and both on-premise and personal devices.

Moreover, around 80% of the data is in an unstructured form.

Unstructured data brings particular difficulties for the deletion process because it is not easily searchable and does not fit pre-determined data models. Therefore, you can easily miss unstructured personal data buried in the content of an e-mail, in contrast with structured data stored in a database, for example.

Examples of unstructured data include text files(spreadsheets, logs, e-mails), data from social media sites, communications via channels such as collaboration software, messaging apps, call recordings, and survey responses.

Furthermore, personal data is usually shared across different teams within your organization and the use of personal devices for work also leads to the spreading of data across more devices.

What if a former sales representative resigns and hundreds of e-mails containing sensitive personal data are left undeleted on his/her device? As the on-going pandemic resulted in more employees using their devices for work purposes, more personal data is stored and accessed on those devices.

These inherent problems make compliance with deletion requests more challenging. You cannot purge personal data from your records permanently if you cannot pinpoint where that data lies and you are deemed to fail in fulfilling deletion requests if the data subject wants to be deleted escapes your discovery and stays in your system.

Do privacy laws apply to unstructured data?

As difficult as it sounds to dig through unstructured data to find personally identifiable information, privacy laws such as EU Data Privacy Law(GDPR) and CCPA still apply to that data.

GDPR does not distinguish between structured and unstructured data and as the U.K.’s data protection authority, the Information Commissioner’s Office, notes, difficulties related to unstructured data are not an excuse to not fulfill data subject requests.

Germany’s data protection authority, for instance, fined a real estate company 14.5 million euros for failure to implement appropriate measures to discover and clean up personal data that was no longer necessary to retain. In this case, the real estate company Wohnen retained tenants’ data, which was in unstructured format and which included payslips and health insurance data, for longer than necessary. Moreover, it did not implement necessary measures to purge this data from its archives for 1.5 years after the German authority gave a warning.

As this case demonstrates, unstructured data is within the reach of the GDPR, and businesses need solutions to find, identify, and manage it to stay compliant.

As for CCPA, intense lobbying against the inclusion of unstructured data within the CCPA by the insurance industry did not bear fruit while the law was being drafted. So unstructured data falls under the scope of the CCPA as well.

III. HOW DATA DISCOVERY CAN HELP WİTH CHALLENGES OF DATA DELETION

Unearthing personal data from unstructured repositories and scanning through all your databases, devices and files can be cumbersome. But there are better ways.

What is data discovery?

Data discovery refers to the process of scanning both your structured data and unstructured data and detecting and extracting any personal information stored in various databases, email servers, third-party cloud services, and in back-up or archived systems.

Ideally, data discovery will provide a complete picture of what type of personally identifiable data you have, where it is kept, and who can access it or share it with third parties.

How data discovery can solve challenges with deletion requests

Effective data discovery software, then, can play a vital role in satisfying deletion requests. Fulfillment of deletion requests depends on locating every place where the relevant data resides and then removing it from the records permanently. Whether the data is in an unstructured format or stored in a personal device, cloud, or back-up systems, makes no difference.

Data discovery technology can help you uncover all types of personal data, including data retained in unstructured data repositories, and create complete profiles off of what it found. Based on this, you can purge personal data per the deletion request without overlooking any data.

Privacy law compliance requires having complete information about the data you hold and the store. Data discovery technology is beneficial to achieving this.

IV. WHAT ARE DATA DISCOVERY TOOLS AVAILABLE IN THE MARKET?

Manetu

Manetu’s Consumer Privacy Management Platform can scan through all your databases, applications, unstructured data repositories, systems, and devices to detect every data piece you hold about a particular data subject. It uses natural language processing technology to detect personal information hidden within unstructured data such as texts, e-mails, and log files. Given that the majority of unstructured data is text-based, Manetu’s natural language capabilities may prove useful in unearthing personal data.

After completing the collection of personal data, it uploads this data to a self-portal in encrypted form for individuals to access and make requests as per their rights under the relevant privacy laws such as data deletion requests. Your customers can ask for deletion via this portal and you can implement this request conveniently as you have a detailed map that pinpoints all personal data within your control.

Manetu’s solution streamlines the data deletion process as it automates both the discovery phase and deletion request processing.

ManageEngine DataSecurity Plus

This discovery tool can go through your files and give visibility into what type of data you have, where it is kept, and generate reports on each file. It provides more than 90 different solutions related to device management, security, and help desk software.

In terms of deletion requests, ManageEngine’s solution does not automate the process of executing on deletion requests. It only locates files containing personal data and you must manually fulfill the deletion requests.

Clarip

Clarip is a privacy management software provider. Its software accesses datasets and systems to discover and extract personal information. It also provides a tool to manage consent preferences and cookies.

It also provides consultancy services on compliance with different laws such as EU Data Privacy Law.

Conclusion

Compliance with divergent legal regimes such as EU Data Privacy law and California law may present unique challenges, particularly regarding the exercise of data subject rights.

The right to deletion of personal data is a particularly sensitive issue as individuals may have a higher stake in having a certain aspect about themselves purged from the records to move on with their lives.

If personal data cannot be located in every single place it exists and erased from the records permanently, this right would not achieve its primary goal.

Complete erasure of personal data per legal requirements depends on locating and extracting every piece of information existing across your repository and data discovery technology is thus vital to compliance with deletion requests.

Furthermore, by having a complete record of where you store a particular individual’s data and for how long, you can solidify the trust between your business and your customers. Knowing what data you collect and where you keep it is a sign of being accountable to and being transparent with your customers.