GDPR: Look out for ‘right to be forgotten storms’ ahead

According to ESG research, 11 percent of organizations say they are “completely prepared” for the GDPR deadline on May 25, 33 percent are mostly prepared, and 44 percent are somewhat prepared. (Note: I am an ESG employee.)

This data may be somewhat misleading, however. My guess is that most organizations are aiming to have controls and monitoring in place for all the GDPR stipulations by the May deadline. As with any compliance mandate, this is a sound plan, but regardless of their preparation, organizations may still be challenged by Article 17 of GDPR, the right to erasure or more commonly known as the right to be forgotten. 

As a review, article 17 states: “The data subject (i.e. EU citizens) shall have the right to obtain from the controller (i.e. the organization that collects, processes, and analyzes the data) the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay…” 

This means data controllers must have processes in place for finding a data subject’s data, erasing the data, and proving that the data was erased. If you know data governance at all, you realize that this data could be anywhere — on development systems, test systems, production systems, departmental applications, etc.

Furthermore, the data could be offloaded to a data processor, which GDPR defines as: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” Think of how many third parties are in the data processing business.

GDPR nightmare scenario

In doing some qualitative research on GDPR, many people I talked to are proposing a nightmare scenario for the end of May 2018 — what if thousands of EU citizens ask data controllers to erase their data concurrently once GDPR becomes the law of the land? This could happen because:

• EU citizens independently target particular data controllers, such as Google, Microsoft, Facebook, Twitter, etc.
• Grassroots organizations launch visible data erasure campaigns against certain data controllers, leading to thousands or even hundreds of thousands or simultaneous data erasure requests.
• EU law firms organize get thousands of volunteers for data erasure campaigns to test the veracity of GDPR and GDPR compliance.

One or all of these things could happen soon after May 25. 

Now, I know some of you are thinking, “My organization doesn’t do deep analysis or sell EU citizens data so we are safe.” Hmm, that may be true, but it’s a bit of a myopic risk management viewpoint. 

Think about data erasure in the context of other types of events. A board member is exposed as having an extra-marital affair. Your organization’s product is recalled suddenly due to quality problems. Or perhaps a completely fabricated rumor about your organization’s politics gains momentum on Facebook and Twitter leading to extremely bad PR. Any of those events could trigger a data erasure storm at any time.

Given this frightening but possible scenario, data privacy officers and CISOs should re-investigate whether they are truly ready for GDPR. If your organization doesn’t have automated and auditable processes to find, delete, and verify data erasure at scale, the answer is definitely “no.”