Various government privacy regulations, including GDPR, CCPA, various state regulations, and the draft federal privacy bill currently in Congress (the Consumer Data Protection Act) all include some form of the right to data erasure, otherwise known as the right to be forgotten.
Because the regulations don’t specify the specifics behind the right to data erasure, some are questioning what this right means when considering PI deletion. The purpose behind this particular privacy requirement needs to be better understood as to what the regulatory authority was actually trying to accomplish.
- Does it mean a halt to the selling or buying of personal information (PI)?
- Does it mean a stop to the practice of using the PI in company marketing and sales activities?
- Does it mean an end of using PI in business operations such as data mining and analytics?
- Or does it mean the deletion of PI from all data repositories so that the data cannot be reviewed or used again?
In reality, the above-referenced regulations include all four requirements when an individual asks for their information to be erased. Several legal opinions note that the fourth bullet, complete deletion, is the real intention of all right to be forgotten regulations.
A follow-up question related to the right to be forgotten is; what does deletion or erasure mean? There are questions about standard (computer) deletion versus secure deletion. The regulations don’t address this question, but several industry pundits have stated that standard computer deletion is not good enough to protect privacy. Two example of statements:
“…the regular “delete“ function of most operating systems and databases is generally not sufficient to meet the requirements of the GDPR.”
“…just deleting data or reformatting magnetic media (including hard disk drives and tapes) will not be enough to ensure that the wrong personal data does not reside somewhere in the business. If data gets deleted from any media type, it can be recovered in many cases, even when the hardware is damaged by flood or fire.”
The most likely intention of the right to be forgotten is that requested PI be deleted in such a way as to make it unrecoverable which means standard computer soft deletion is not good enough. The actual soft deletion process includes changing the first letter in the file name to a tilde (~) signaling to the operating system the space that was taken up by the deleted file is now available to be used for storage. However, until the location where the old file resides is overwritten, the original (deleted) file is easily recoverable. Even when that disk space is overwritten once or twice, the original file can be recovered depending on how many time the space has been overwritten. So obviously the computer soft deletion process does not meet the standards of un-recoverability.
In fact, there are two accepted processes that make data deletion unrecoverable:
- Data wipe/overwrite: Writing ones and zeros over specific files a predetermined number of times is considered an effective, secure deletion practice but could take an extended period of time.
- Cryptographic Erasure: Encrypting target data/files and then deleting the encryption key and ideally, the encrypted file, is considered a secure deletion process in both regulatory as well as legal situations.
For companies that collect/process and use PI for marketing and sales activities, which is just about every business, they should ask themselves; do my current enterprise content management (ECM) systems, email/file archives, Sales CRM systems, and marketing systems meet these unrecoverable deletion requirements that will soon become a major liability when responding to privacy requests?
For more information on regulatory privacy, please read these blogs:
Can you hear me now, MiFID II risks and solutions
Look behind you, now! The CCPA look-back requirement
Santa seeks exemption from GDPR
For more information on how Archive360 can help you with this issue, please contact us at: email@example.com