It may not be a sea change, but organizations appear to be coming under more scrutiny for compliance violations related to protection of personal data. The General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other regulations are coming into play as more online users are tired of having so little effect on controlling their own data lives. They are using apps like ItsMyData to opt-out of marketing pitches driven by data sharing. Users also want to permanently delete archival data from public search, as their own lives and ‘brand’ change.
These statistics from Consumer Reports tell the story:
- 65% of American consumers say they are slightly or not at all confident that personal data is private;
- 96% of Americans agree that more should be done to ensure that companies protect the privacy of consumers;
- 42% of consumers believe that companies should be the most responsible for user privacy.
Organizations are realizing their data privacy compliance practices can use some improvement to respond to this public sentiment and protect their own credibility and brand. The tide, if you will, is somewhat turning.
Major organizations like Amazon are a popular target in regulatory compliance sanctions. The latest instance is a reported potentially record-setting GDPR fine proposed by the Luxembourg data protection commission related to Amazon’s privacy and data collection practices. The $425M fine is a relatively small hit against a $386B company like Amazon but there are signs that more impactful fines may be coming from the EU with discussion of adding fines to 10% of global turnover. These are particularly aimed at tech companies.
In the U.S. the California Consumer Privacy Act (CCPA) has prompted a number of states to consider their own privacy protection legislation. Some may never make it to signing but it is a clear indication government is responding to consumers’ (and voters’) desire to be more in charge of their own data destiny.
Consumers’ message to data privacy: ‘Delete, delete, delete’
Within data privacy regulations, consumers have certain tools to enact more control over who gets to see/use their data. The ‘Right to be Forgotten’ rule says a person has the right to silence on past events in life that are no longer occurring. The right to be forgotten leads to allowing individuals to have information, videos, or photographs about themselves deleted from certain internet records so that they cannot be found by search engines. If a person had too many beach party pictures posted online and they are now looking at a corporate promotion, getting rid of those pics would be quite helpful.
There are other permutations of this rule: The GDPR refers to this as the ‘Right to Erasure;’ the CCPA generally uses the term, ‘Right to Delete’ and sets the previous 12 months as the limit. While there are many overlaps between these regulations, one glaring requirement is around the ability to request that an organization delete all data associated with a person. That means all collected personal information (barring exceptions) be removed from the organization in a timely manner, and this confirmation be provided to the person/data subject.
Key practices to comply with consumer delete requests
To not only comply with privacy regulations but honor customer requests in the required time, your data storage, indexing and discovery needs to be well organized and maintained. Compliance improves with these practices:
- Efficient information location means the difference between an organized data search and compliant deletion upon request, and a time-consuming, costly search to hopefully locate all sensitive data and avoid a fine. A strong foundational structure will have storage locations that are well-classified and have a well-structured taxonomy. All personal information would reside within these repositories – creating a better defense against a privacy breach.
- Discovering all content repositories is essential to ensuring all relevant data is deleted according to a user request. With host discovery, a data privacy team can identify the different platforms within the network that may contain unstructured and structured data repositories to ensure comprehensive platform coverage. To further ensure sensitive data privacy, teams can analyze known content repositories for certain patterns or specific words that match built-in criteria based on personal identities across multiple different regulations.
- Duplicate data and Shadow IT bring more inefficiencies and out-of-compliance risk. Data may reside in multiple content collaboration platforms not governed by network access and security controls. This uncontrolled data storage is ripe for a data breach and worse, may not even be necessary to begin with. It also means data may not be discovered to comply fully with a delete request. Identifying these ‘shadow’ platforms is imperative to compliance.
- Data indexing – whether in full or selectively – enables the review of all unstructured or structured data within a specific scope, indexes this content to a location (a flat file, a database, or similar cache) and searches through this information when looking for specific phrases. When done properly, there are many advantages such as the ability to search for exact phrases within documents and potentially get results faster than if files were reviewed individually. If done improperly, some drawbacks could be that it is resource-intensive and consumes as much as 40% of storage space of the data. Also, some of this indexed content is not relevant to the use case content that needs to be purged. Calibrating your indexing approach appropriately is the key to success.
- Pattern matching and recognition looks for certain words and phrases within data to match specific words or patterns. It helps with compliance standards which focus on identities since identities tend to follow specific patterns. The targeted search consumes fewer resources than indexing and allows for bulk searching in multiple locations. One negative is that patterns, words, and phrases have to be identified ahead of time, and new scans against live content will need to be initiated.
While these practices are essential to being in compliance, should an end user make a delete request, better data discovery, more precise search and fully controlled, secure data storage will help many facets of a business operation. Controlling cloud storage costs, getting rid of legacy data and apps and complying with all forms of audit – all benefit from organized, easily discoverable data.