Biggest GDPR Worry? Right to Be Forgotten

GDPR is still months away from going into effect but many professionals in the data security space are warning customers to act now to avoid pain later.

Technology-wise, an individual's right to be forgotten may be one of the most vexing issues related to the new EU’s General Data Protection Regulation (GDPR) which goes into effect in May, 2018, notes Pete Zimmerman, VP of client services and operations at Sonian, a public cloud information archiving company.  Sonian provides services to OEM partners and their end customers that allow them to preserve, analyze, and access their electronic communications for legal, regulatory and continuity purposes while gaining organizational insights.

The right of an individual to have their data removed will be a key challenge for many companies, said Zimmerman, noting that he wonders how many companies are truly going to be able to know where that data is—not only in their core systems but also legacy systems, CRM systems, and lead-gen services that may not even be in active use.

And, from a business perspective, the leading challenge may be that many newly minted data protection officers, rather than spending their time protecting data as they should, are going to be focused on responding to questions regarding readiness and reporting and other time-consuming activities. That will go away in time, but in the first several months after GDPR goes into effect, there will be a lot of soul searching, he said. This will revolve around how much they are expected to respond to in terms of information requests, and legitimate complaints may fall through the cracks since it is a relatively new role and set of responsibilities, he noted. For example, he said, if a technology provider has 10,000 resellers and service providers that each have hundreds of customers themselves, and just 50% of them start asking questions about breach policies or security controls, the data protection officer will have to decide when it is possible not to respond, or decide how much time there is to issue a response, he asked.

According to Zimmerman, organizations that buy Sonian’s services are typically buying the services through a partner, who buys them from another company such as IBM or GoDaddy, which in turn has bought them from Sonian, and sometimes there is even another company in between.

Zimmerman said he is confident that organizations that are up the technology stack are in compliance or are aware of anything they need to tweak before GDPR goes into effect because months ago he was receiving requests for information from these companies to look at Sonian’s readiness. But the challenge is that smaller partners, MSPs, and technology providers have limited staff, a lot of products, a lot of services, “and those are the people I am getting a sense are not as ready as they should be.”

Related Articles

According to a new survey from SAS, less than half (45%) of respondents have a structured plan in place for compliance with the EU's new General Data Protection Regulation (GDPR) and more than half (58%) indicate that their organizations are not fully aware of the consequences of noncompliance.

Posted October 02, 2017

Informatica has introduced a new set of solutions and enhancements for intelligent data lake management and enterprise data cataloging to improve regulatory compliance in the era of GDPR. The solutions also feature integration with Hortonworks Atlas and support for Cloudera Altus, expanding Informatica's coverage across hybrid enterprise deployments, on premises and in the cloud.

Posted September 27, 2017

Tic toc, tic toc—back and forth swings the privacy pendulum. While we in the U.S. continue to regress on issues of data privacy, the European Union (EU) is proceeding with bold steps to protect the privacy of its citizens. On May 25, 2018, the General Data Protection Regulation (GDPR) becomes the law of the land in the EU. It applies to any company that processes or holds data on EU residents, regardless of where it is located in the world. Popular applications such as Facebook, Twitter, and Airbnb are among the companies that will be directly impacted by this law. If you do business with EU residents, regardless of geographic locality, this law directly applies to you.

Posted September 20, 2017