“I remember you” — Why you need to know about your right to be forgotten

By Philip Miller
on Apr 9, 2018

We have all had one of those awkward conversations, you know the ones where someone comes up to you and starts talking like they are an old friend. They know your name, they know things about you that can only have come from you. The only problem is that you cannot remember them. You stall, play for time, try to prise loose that illusive piece of information that will make a connection in your brain to dredge up the information needed to recall their name. Perhaps you have a strategy, mine is to introduce a friend (assuming I have one handy) and hope that they complete the introduction and fill in the blanks of your relationship.

Or there are those times you get a text, it happened just the other day with me, where the conversation starts “Hi Phil…..” and ends without a name and, oh no, there is only a telephone number rather than the comfort of a contact at the top. Do you play for time, or do you ask outright “Excuse me, I don’t have this number in my phone…. Who are you?”

These are both far from unusual situations that are not comfortable, but they are, probably, not malicious. Just a slip, a temporary failure to remember, nothing more.

Then there is the other side, being remembered for the wrong reasons, “I remember you! Weren’t you that person who…” did that horrible thing. That is certainly not comfortable, especially when you weren’t that person and you didn’t do that horrible thing.

Being remembered for the wrong reasons or being remembered for something that happened a long time ago (such as when you were that gawky kid at school) are social problems that we encounter from time to time and rely on the memory of the people involved. Those same people can probably be reasoned with to change their mind or update their opinion. Computers are not so rational, they just remember.

Mac LaptopThe General Data Protection Regulation, GDPR, provides for this situation – one where a computer remembers you [on behalf of a company] for no reasonable purpose. Article 17 of GDPR ‘The Right to Erasure’, or more commonly known by its slightly older name ‘The Right to be Forgotten’, enshrines the right of an individual to request the removal of personal data where there is no compelling excuse for its continued retention and use by a company.

In other words, it should be possible for a properly made request to trigger the erasure of personally identifiable information without too much fuss from a company that has no right to that information.

This brings up the similarities between the forgetfulness and the persistent memory. They are both a form association where given the right stimulus you find that you have not forgotten something or someone. It is all about connectivity and context. That is how memory works in both ourselves and computers.

The 'Right to Erasure’ is more than just not returning results in a search engine, it is completely removing things that can be used to trigger the associative memory. To do this you need to understand how your memory works.

The creation and retention of data has increased exponentially over recent years. Data is created and moved around as needed, furthermore derived data is constantly being generated from original data, itself being on-shipped. Organisations have taken advantage of the quantities being collected by putting this data to work in order to learn more about their customers and their habits.

Organisations have found that they only understand their data landscape on a micro/silo’d level, with no one person able to answer simple questions about its use, this is true even for reasonably new and small companies. Couple this with ‘The Right to Erasure’ and there is a large problem where the lineage and use of data is not known at a higher level.

The nub of the problem though is when you are proved to remember something you have promised that you have forgotten. When that connection is made that you didn’t know was there to that parcel of memory that you had ‘forgotten’ about. This might cause embarrassment or worse to the individual and would display to a regulator that the company involved has no control – the worst sin – over its data.

Each time a right to erasure request is received and agreed to it is necessary to make sure that each and every place in institutional memory is purged. Additionally, it is imperative to be able to prove this, not necessarily only to the individual involved, but perhaps to the risk taker internally or even a regulator.

Data lineage forms a vital part of the overall solution to GDPR.

Using Solidatus, an organisation has the ability to gain valuable insight into their data landscape. The tool enables an organisation to visualise and analyse lineage to understand what data they hold, what type of data they have and how it moves through their systems.

Through its collaborative and crowdsourcing model, Solidatus allows for quick and effective enterprise-wide identification of personal information. Working with all teams across the organisation, a clear understanding can be made of exactly where data is and how it’s being used in business and IT processes.

Once identified, the data can be clearly mapped out to visualise each contact point and ownership can then be assigned. Once an organisation has this knowledge they are able to quickly and confidently fulfil a ‘Right to Erasure’ request knowing that they have removed it from every possible place it has been held.

Not only does this insight allow for easy completion of a Right to Erasure request, it also proves to the regulator that an organisation is taking a proactive approach to GDPR by clearly documenting and auditing their data landscape and privacy impact assessment metadata.GDPR Model

To learn more about how Solidatus can fit within your business strategy, request a demo today.

Request a demo

 

Topics: GDPR, Data Governance

Author: Philip Miller

Co-Founder, Senior Architect, Analyst and Engineer with over 20 years’ experience within Financial Services specialising in high performance computing, complex event processing and system integration. He is an acknowledged expert is real-time regulatory reporting.
Find me on: