You may have the ‘right to be forgotten’ – but you still need to know who to ask and what to ask for

The phrase “the right to be forgotten” conjures up (at least in my mind) a sci-fi flick where you cast a hypnotic spell on the enemy and when they wake up from their trance, you are a stranger to them.

But this is not a sci-fi or movie blog, so let me get to the tech behind this before I scare you away. This phrase – made famous by the now-ubiquitous General Data Protection Regulation (GDPR) – essentially hands over power to you and me as end consumers to demand that all traces of our digital exhaust be forever exhumed by the data controller.

While you chew on that, let’s dwell a little bit on what it means to the GDPR compliant organizations – the data controllers providing a service to you and me. This means that if I am an EU resident with a hosting provider named Foo, Foo now must keep track of all my digital activities – logs, content hosted, data stored etc. – and uniquely tie that to my identity forever.

Why? Because if I decide to exercise my right “to be forgotten,” they need to be able to quickly access all my fingerprinted data and obliterate the same and provide proof of the same to me.

If this sounds onerous (which it is), it gets even more challenging when they need to do this for me retroactively. That means they need to be able to go back in time and look at all past data, which is a far bigger task. Now, I must admit that there is some gray area here in terms of how much retro-activeness is needed. But if you are a conservative organization, do you want to wait to be breached or wait until a consumer exercises her right to discover whether you’ve complied or have the tools to remediate? Sounds like a problem, does it not?

But I have assumed that my data is only resident with Foo. Now Foo may be the hosting provider, so that may be a default but erroneous assumption. There is likely to be a network provider who is providing the pipe, maybe some caching and security services along the way also fingerprinting me. Throw in other default destinations that I may frequently visit – Google, Facebook, Snap – and suddenly this becomes very challenging.

Now arguably, some of these top “hub economy” companies are ahead of the game and already provide some of this – but it’s one thing to be setting your own rules and providing what you think is appropriate and adequate and it is quite another to be adhering to strict compliance mandates.

For example, Facebook has the feature to download a copy of your Facebook data – which means they fingerprint everything (surprise!) and presumably can delete everything if needed.

But most large and small providers has no such facility. And where does that leave you and me? How many places do I need to go to be really “forgotten?” And do all those places they have the data smarts to actually “forget me?”

But let me leave you on a positive note. For all the companies that are just now coming to terms with this law and its implications, and don’t have the in-house smarts or the deep pockets of the Facebooks of the world, one of the first places to start is to begin classifying data.

This could mean considering primary, secondary, even tertiary storage – on-prem, in the cloud – to identify where sensitive data is stored. This could be PII (personally identifiable information), credit card data, health records, etc.

This is not the finish line, but a good starting point. Adding continuous hygiene going forward is going to be imperative. This would be to fingerprint every user’s “critical” data uniquely and encrypt it with its own algorithms. Again, one of many steps that need to be taken, but a critical initial one.

While there are many GDPR scaremongers out there, and disingenuous vendors doing a lot of GDPR-washing, the core tenets that it proposes are very important and timely and, when taken seriously, could go a long way in simultaneously reducing the risk levels of both an enterprise and an individual.