Let’s walk through some of the issues that have arisen in response to the right to erasure requirements.
The SMB GDPR Challenge GDPR applies to ALL companies who have personal information from a European citizen.
While we tend to think of major multinational companies when considering who is impacted by GDPR, the Internet has made it possible for smaller organizations to tap into foreign markets.
So even some of the smallest organizations need to be GDPR compliant, which can be incredibly difficult for resource-strapped SMBs.
Small businesses are constantly understaffed, particularly within the IT and security departments, which makes GDPR compliance a huge undertaking because it is often the responsibility of a single person or a small group.
There have been some rumblings about adjusting the size of the company that this legislation applies to, but for now everyone from small Mom and Pop shops and startups have the same compliance requirements as the world’s largest companies.
Transparency is the Key to Request Fulfillment Most organizations have only a vague idea of where all their data is stored.
So deleting a specific person’s information when you don’t even know where it’s housed is obviously an enormous challenge for most companies.
The best way to prepare the organization for right to erasure requests is to map out where all personal information is located within an organization’s infrastructure – whether that be on-premise or in the cloud.
In order to establish a single version of the truth, security and IT teams need to proactively align policies and technology to create transparency within their IT environment.
And it’s important for organizations to apply policies that mend any gaps in their cybersecurity processes while also creating an inventory of tools that interact with personal information.
Visibility is incredibly helpful in allowing businesses to move quickly and efficiently to comply with right to erasure requests.
A best practice is to centrally collect and view data from all environments, comprehensively leveraging the visibility tool to detect, deny, and disrupt threats.
If you choose to use a visibility tool, ensure it has host-based, behavioral detection to give you complete wide spread visibility into your environment.
Once the data mapping exercise is complete, security and IT teams should conduct a stress test to determine if the system works.
GDPR requires all right to erasure requests to be processed within a month so it’s important for IT and security teams to make sure they can execute efficiently on any such request.
The Consumer isn’t Always Right It’s important that businesses understand that if GDPR is confusing for them, it’s also confusing for the average consumer.
When GDPR was first enacted we were deluged with right to erasure requests that clearly demonstrated the person’s knowledge (or lack thereof) of the statute.
A few lessons that we learned working our way through right to erasure requests thus far: Make it easy for people to differentiate between web email opt-outs and legitimate right to erasure requests.
Businesses with effective marketing and communications programs deliver a valid service that many people are willing to offer their personal information for.
Security leaders shouldn’t throw the baby out with the bath water and make clear delineations in their compliance plans to differentiate between when someone just doesn’t want to receive a company’s weekly newsletter and when they want their data to be erased entirely.
GDPR doesn’t allow for group right to erasure requests.
We received a handful of right to erasure inquiries that tried to also cover their co-workers, spouse, children, parents, friends, and just about everyone else the person knew.
The legislation requires one request directly from an individual.
We know that EU legislators intentionally wrote GDPR in overly broad language because they wanted to see how businesses acted before they made modifications.
This pragmatic approach is great in theory but there’s no timetable on when many of these issues will be ironed out.
So, while changes may be coming, organizations need to make sure that they are GDPR compliant now to avoid penalties.
And while there are challenges to GDPR compliance, there are also opportunities to create visibility and control over consumer data in corporate systems.
Rather than being overwhelmed by the requirements, companies should view GDPR as an opportunity to take responsibility over their infrastructure which will not only help with right to erasure requests but also improve their security posture.