GDPR Right to Be Forgotten: How Does it Work?
 

The European Union General Data Protection Regulation (GDPR) is now in effect and is fundamentally changing the way organizations approach their handling of customer data. One of the biggest shifts for organizations has to do with the Right to Be Forgotten, where an EU resident can request that any data held by them can be erased forever.

Mimecast Chief Trust Officer and Data Protection Officer Marc French sat down with TechTarget’s Mike Perkowski recently to discuss all things GDPR. What follows is a transcript of their discussion on the GDPR’s Right to Be Forgotten requirement and how it impacts organizations.

What is GDPR Right to Be Forgotten? How Does it Impact Organizations?

Mike Perkowski: Those of us who spend any time on websites—which is pretty much everyone—are aware of things like cookies and bots and software agents that follow us around, that track our movements and behavior. Yet, a key element of GDPR is the whole notion of the Right to Be Forgotten. What does that mean?

Marc French: So, one of the fundamental rights that you have under GDPR is your ability to be forgotten in the environments that you operate in. This is fairly challenging for most organizations, because if you think about the pervasiveness of your data that is ingrained in your operation, and everything that can be used to identify [users], it’s very hard to erase [someone’s] internet footprint.

It’s easy to say, “erase my name from your database.” It’s much harder when my cell phone has a Mac address that I have surfed to your website—that I’m now tracking—that can be tied back to me through all your logs, all your firewall logs, all your security logs and erase that when the request came through.

It’s an interesting debate that’s happening in the community right now about how deep do you have to go with respect to erasure. I think that your digital footprint is so pervasive, how do I get down to the very low level of detail to get you out of my system?

I’ll be honest, there has been not a lot of guidance from supervisory authorities and the EU Workers Councils for us to understand at what level we should go to fully erase you and erase your digital footprint.

Mike Perkowski: So, the suggestion there is to err on the side of caution.

Marc French: Err on the side of caution. It will be harder, but right now, absent further guidance or case law to support it, do the best you can to get rid of everything about an individual when they request to be forgotten.