The right of erasure is the top GDPR compliance concern

Tracking down and deleting personal data on request is not going to be easy for most companies, Computing research finds

The GDPR will become law across the EU one year from now. One of its most onerous provisions in terms of compliance is the right of an individual to know what data an organisation holds on him or her and to have that data deleted - the ‘right of erasure'.

To quote the ICO's website: "The right to erasure is also known as ‘the right to be forgotten'. The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data whether there is no compelling reason for its continued processing."

For global organisations in particular, this is a challenge because that data may be replicated across hundreds of databases, spreadsheets and mail-merge documents. It may also be synchronised to cloud services, archived on tapes or be in the hands of a third-party supplier.

The GDPR mandates that the organisation be able to locate all of these instances so they can be erased. How many organisations of whatever size could be confident of being able to do that right now?

We asked 100 IT professionals from 100 organisations with 100 or more employees which aspects of GDPR they believe will be most difficult to comply with. The right of erasure was an easy winner.

Within almost all companies there are established systems in place to control cash flows and HR records, but the equivalent structures for managing personal data are much less well developed, said Martin Hoskins, associate director at consultancy Grant Thornton.

"Far fewer companies have anyone in overall charge of the customer experience - so they don't readily know where all their customer records are, or who is accountable for ensuring that the records meet the requirements set down by the current Data Protection Act or the GDPR," he said.

The department most in touch with customer experience is marketing, but it may also be the least well prepared when it comes to data protection.

Andrew Nielsen, chief trust officer at cloud information management firm Druva, provided an example.

"A marketer might download a spreadsheet containing customer records for them to do their own analytics," he said. "What happens to that set of records after it's used? Will IT know that the download has taken place, and that the right data management steps have been taken over time?"

Companies hold a huge variety of personally identifiable information (PII), including names and addresses, dates of birth, login details and credit card information.

Do you process personal data?
Names and addresses
81%
Emails / phone numbers
77%
Dates of birth
63%
Logins and passwords
63%
Employment details (salaries, grades)
62%
Official documented ID, eg passport number, number plate, national insurance number
56%
Credit card and other financial data
36%
Health information
27%
None of these
4%

What's more, this PII will be held in many different systems and is unlikely to be consistent. Some records will be out of date, others incomplete, and others will have spelling mistakes and other errors that make them difficult to cross-match.

"Customer data can be held in many places across a business," said Martin James, regional vice president, Northern Europe at big data firm DataStax.

"The challenge here has been that many businesses have expanded their channels over time and use different applications for each one. A customer record for online sales may not be tallied up with in-store loyalty card data or web chat, for example, yet each of these systems holds a customer record."

Marketing budgets could be reallocated to pay for GDPR compliance

A win-win is achievable here. There are obvious advantages to be had by arriving at a single, consistent view of this data quite apart from being on the right side of the law. For one thing, it makes delivering personalised services and marketing a lot more efficient, reducing the errors caused by data mismatches, out of date records and duplication. Because of this James suggests that marketing budgets could be reallocated to pay for GDPR compliance.

"If they haven't put this in place, then the budgets available for GDPR compliance could be used to implement this or vice versa," he said.

Permission to proceed

Before using data generated by customers for personalisation and marketing, companies will be required to obtain their consent. This will be much more exacting under GDPR, and was the equal-second most challenging issue in our graph above.

James sees this as a value exchange. "Customers should be willing to provide consent as long as they see value from providing it," he said.

In theory this may be may true, but from a consumer's point of view evaluating one side of this exchange is currently impossible as we really have no way of knowing what happens to our personal data once we have handed it over. The GDPR addresses this imbalance.

"The GDPR is clearer that an indication of consent must be unambiguous and involve a clear affirmative action," says the ICO's guidance. "Consent should be separate from other terms and conditions; It should not generally be a precondition of signing up to a service.

Put simply PII can be used to deliver the service on offer, but no more. Clearly this is something that is going to need very careful handling if customers are not to opt out in droves.

"Many new companies base their business models on trading a service for personal data, said Nielsen. "It would only take a small percentage of customers denying access to their data to seriously affect the potential success of those companies over time."

On the other hand, some firms may over-react, seeking consent where there is no reason to do so, said Hoskins.

"A poor understanding of what the GDPR actually requires may result in companies offering individuals the opportunity of withholding their consent with respect to certain activities that companies quite legitimately need to do, even though there is no real need to give individuals this option."

With a year to go, managers, lawyers, marketers and IT professionals who are still unclear about the GDPR should work out where they need to apply their efforts without delay.

Correction: this article originally stated incorrectly that companies have 72 hours to locate and erase PII on request. The GDPR does not impose a time limit.

Computing's IT Leaders' Forum GDPR: are you sure you've thought of everything? is coming to Manchester on 06 June 2017.

We'll be discussing the key touchstones of the GDPR and e-Privacy Regulation as well as some aspects that will be less familiar to many - such as the impact on website design.

Attendance is free, but strictly limited to IT Leaders. To find out more and to apply for your place, check out the IT Leaders Forum website.