GDPR and the Right to be Forgotten: Lessons for India Inc in Times of Pandemic

By Milind Borate, CTO, Druva | Wednesday, 08 July 2020, 12:45 IST

The General Data Protection Regulation (GDPR) was published two years ago. At that point in time nobody had foreseen the outbreak of the COVID-19 pandemic. In the face of the challenges we tackle today, GDPR is more important than ever before. Afterall, in times of crisis, regulations remind organizations to protect our security and privacy. However, while many of them were already struggling with GDPR compliance, the new working environment has created significant new challenges. But GDPR is an important tool for companies to rebuild a feeling of trust and safety in a new world that is living and will eventually overcome a global public health pandemic. Current conditions, notwithstanding, organizations can protect the privacy of their customers and employees with proper planning and investment.  

Two years since its genesis, several companies continue to depend on manual effort to respond to GDPR requests. The Right of Access and the Right to be Forgotten requires them to find and delete information about an employee or customer. However, in a world of SaaS applications, edge computing, and data pipelines, there is no single data repository to search for an individual’s data. There is also no centralized tool to search across the data sprawl and instead, legal teams must maintain a list of all data locations and owners for future requests. In this situation, unsurprisingly, each request costs $1,400 and takes anywhere between 14 and 90 days to process, as reported by Gartner. Moreover, some companies process only a handful of retrievals; others are inundated with hundreds of thousands of requests related to the GDPR.

With a sudden shift in several employees working from home, the risk of privacy threat has increased manyfold. Much of the official communication which otherwise took in person, is now moved to tools like Slack and Microsoft Teams and, without understanding the implications, are transmitting and storing private information on local laptops. While individuals may be focused on getting their jobs done, the unfortunate side effect is an environment that potentially violates privacy regulations multiple times over. It also makes it incredibly difficult to fulfill a GDPR data request, since the list of possible data locations and owners becomes nearly infinite.

What are immediate steps?

With governments and businesses slowly reopening post the lifting of the lockdown, the challenge of data privacy has become more challenging and has created a deluge of new personal data. The new call to action is on undertaking extensive testing and tracing within organizations, many of them will hold on to personal data about employees, outside workers, and visiting customers. While this data may be limited to health and interaction telemetry, it may also extend to video analysis.

Moreover, data management, whether done by organizations on their own, or through a central management service, the volume of private data will exceed anything that most teams have ever managed. How will they manage this information? Access to such information must be defined and limited - it will need to be retained for a period of time, but then forgotten.

Over the next year, privacy and health will be inextricably intertwined. Any discussion about test-and-trace will be accompanied by concerns about privacy and in turn expand questions about existing privacy requirements. Individuals will want to understand how much of their personal information is being collected, stored, and analyzed, and this additional scrutiny will lead some to become more vocal about privacy. Furthermore, it should be expected more people will make requests to see their data so they can understand the issue.

A framework for success

No matter who handles the data, the increase in storing of personal data, and legal teams fielding more requests, the challenge is in storing, retrieving, and eliminating personal data quickly, efficiently, and comprehensively. This could increase existing GDPR challenges by 10x. Fortunately, it also gives us a framework for dealing with the changes. Just as the pandemic has accelerated organizations’ digital transformations and adoption of cloud, it will be a catalyst for streamlining GDPR management. There are few steps to achieve success.

The first step is to consolidate data management. Since production applications have become increasingly distributed, which will only continue as IoT and edge computing spread, centralizing the data into one location is impossible.

Even backup copies cannot come into one data center because of regional data residency regulations. Organizations can still create a common pattern across regions, consolidating data in those locations by using cloud, since it is widespread and can connect with their various data sources.

The second step is to extract and enrich the metadata, information about the data. To manage rich data sources like video, which are exploding, organizations need to convert PBs of raw data into a manageable set of information. Metadata helps to manage access control, search, and retrieval in a scalable manner, while storing the data as inexpensively as possible.

Automating Right of Access and Right to be Forgotten request handling is the third and final step. This process can scale and eliminate mistakes that can occur in manual efforts. Enriched metadata can help identify where the data is, and organizations can either pull the data directly from their own data sources or contact their SaaS vendors to retrieve it.

The COVID-19 crisis has changed our lives forever as remote working and coming together with test-and-trace becoming the new norms. While one’s own health and that of their loved ones, will always be a priority, it is important to ensure privacy is protected today and in the future. As organizations focus on the next stage of reopening their business, they should avoid being complacent about data privacy. Let the second anniversary of GDPR be the perfect reminder that this is an opportune time to build trust with their employees and customers. This trust is priceless!

Don't Miss ( 1-5 of 25 )