Skip to main content

How companies need to prepare for the Right to be Forgotten and GDPR in the age of global pandemics

(Image credit: Pixabay)

When the EU published the General Data Protection Regulation (GDPR) two years ago, nobody envisioned the current pandemic. Despite the challenges we face, GDPR has never been more important. In times of crisis, regulations remind organisations to protect our security and privacy. While companies were already struggling with GDPR compliance, the new working environment has created significant new challenges. Following the GDPR can help rebuild a feeling of trust and safety in a new world, and regardless of current conditions, organisations can protect the privacy of their customers and employees with proper planning and investment.

Even after two years, most organisations still rely on manual effort to respond to GDPR requests. The Right of Access and Right to be Forgotten require an organisation to find and delete information about an employee or customer, but in a world of SaaS applications, edge computing, and data pipelines, there is no single data repository to search for an individual’s data. There is also no centralised tool to search across the data sprawl and instead, legal teams must maintain a list of all data locations and owners for future requests. Given the manual effort, it’s no surprise that Gartner reports each request costs $1,400 and takes anywhere between 14 and 90 days to process. While some organisations process only a handful of retrievals, others are inundated with hundreds of thousands of requests related to the GDPR. 

The abrupt shift to remote work has created more privacy threats than ever. People who are accustomed to working together have now shifted their communication to tools like Slack and Microsoft Teams and, without understanding the implications, are transmitting and storing private information on local laptops. While individuals may be focused on getting their jobs done, the unfortunate side effect is an environment that potentially violates privacy regulations multiple times over. It also makes it incredibly difficult to fulfil a GDPR data request, since the list of possible data locations and owners becomes nearly infinite. 

What comes next?

Any plan to re-open governments and businesses will only compound challenges with GDPR compliance, because they will create a deluge of new personal data. Since virtually every plan features extensive testing and tracing, an organisation will hold personal data about employees, outside workers, and visiting customers. That data may be limited to health and interaction telemetry, but it may also extend to video analysis. 

How will they manage that information? Access to such information must be defined and limited - it will need to be retained for a period of time, but then forgotten. Whether organisations manage the data on their own, or utilise a central management service, the amount of private data will exceed anything that most teams have ever managed. 

Over the next year, privacy and health will be inextricably intertwined. Any discussion about test-and-trace will be accompanied by concerns about privacy and in turn expand questions about existing privacy requirements. Individuals will want to understand how much of their personal information is being collected, stored and analysed, and this additional scrutiny will lead some to become more vocal about privacy. Furthermore, it should be expected more people will make requests to see their data so they can understand the issue. 

A roadmap for success

Fortunately, GDPR gives us a framework for dealing with the changes. Even with remote workers handling data differently, an increase in storing of personal data, and legal teams fielding more requests, the challenge is in storing, retrieving, and eliminating personal data quickly, efficiently, and comprehensively. Therefore, the existing GDPR challenges may increase by 10 time, but they are the same challenges. 

Just as the pandemic has accelerated organisations’ digital transformations and adoption of cloud, it will be a catalyst for streamlining GDPR management. 

The first step is to consolidate data management. It is impossible to centralise the data into one location because production applications have become increasingly distributed, and that will only continue as IoT and edge computing spread. Even backup copies cannot come into one data centre because of regional data residency regulations. Still, organisations can create a common pattern across regions, consolidating data in those locations. Many use cloud, since it is widespread and can connect with their various data sources. 

The second step is to extract and enrich the metadata, information about the data. As rich data sources like video explode, organisations need to convert PBs of raw data into a manageable set of information. Metadata enables companies to scalably manage access control, search, and retrieval, while storing the data as inexpensively as possible. 

The final step is to automate Right of Access and Right to be Forgotten request handling. Enriched metadata can help identify where the data is and organisations can either pull the data directly from their own data sources, or contact their SaaS vendors to retrieve it. With automation however, the process can scale and eliminate mistakes that can occur in manual efforts. 

Whether it is working remotely or coming together with test-and-trace, our lives are now forever changed. Even as everybody’s first thoughts are on the health of their loved ones, it’s important to ensure privacy is protected today and in the future. Therefore, organisations must resist the urge to maintain the status quo on privacy, especially as more move into the next stage and focus on reopening their business. This two-year anniversary of GDPR is the perfect reminder that organisations have an opportunity to build trust with their employees and customers, and this trust is priceless.

Stephen Manley, Chief Technologist, Druva