When the General Data Protection Regulations (GDPR) became law, the focus was on taking necessary measures to meet compliance requirements. Now that GDPR has been in effect for a while, it’s time to talk about handling compliance requests and issues that may arise by processing those requests.
How to process a “Right to be Forgotten” request
Due to the growing number of data breaches, people feel better having their data deleted when they’re done doing business with a company. Not all businesses take steps to secure customer data; it’s a wise move for consumers to make this request.
Under GDPR, everyone has the right to request a business (or website owner) to erase all of their personal data. For many small businesses, complying with this request is easy. For instance, a business that collects contact information through an email list program can delete all data by deleting the contact from the database.
Some requests need more processing
Other forms of data collection require more effort if data is collected and stored in multiple locations or devices. For example, processing a “Right to be Forgotten” request on a membership website involves several additional steps since personal data is usually stored in multiple places. For instance, members have profiles, share private messages, and make purchases. Deleting this data may require tedious, manual work.
To comply with an RTBF request, a membership site should anonymize the entire account. Deleting an account isn’t a solution when the business needs to retain financial records for accounting purposes. Financial data can be retained without personal information through account anonymization. However, the absence of a name or other verifiable information can make returns, exchanges, and customer support problematic.
Get ready to change your policies and procedures
Imagine a customer asks to have their personal data deleted from your database. Now imagine that customer calling your support team for help and your team must verify their identity with some kind of personal information. This is a situation that some businesses are starting to experience.
The only reasonable solution is to restructure policies and procedures to account for customers who still need access to support services. For example, when you delete a customer’s data, you could replace their name with a name and number that will follow an ascending sequence. For example, “Anonymous72634.” Then, you could email this data to the customer to let them know their purchase number is now connected to their new account name. Next, you’d create a new policy for handling customer service calls that come from people assigned an anonymous ID.
Two points of caution about processing RTBF requests
Requests can be rejected. However, if you’re going to reject a request, make sure at least one exception applies.
Whenever possible, verify the request is coming from an authorized source. To prevent a potentially fraudulent situation, verify that the request is coming from the person whose data is to be deleted. If you have their address on file, mail them a postcard with a special code they need to verify. If you have their phone number, call to speak with them. Or, ask them to submit their request from the email address on file with your company.
What about data backups?
As with any new regulation, there are issues arising with no immediate solution. For instance, most businesses routinely back up their hard drives, web servers, and databases. That means deleted personal data still exists.
It would be time-consuming and tedious to delete data from backup sources. Still, no matter how inconvenient and cumbersome it may be, it might be required.
France’s GDPR supervisory authority says deleting backups isn’t required so long as the backup is restored only in a technical environment and isn’t processed again. However, business owners often have automatic backup and restore mechanisms in place.
To make it easy in the future, experts suggest changing the way backups are created and stored. For instance, to make it easy to find a customer’s data, each person should get their own archive. This approach is impractical for everyone, but it could work for businesses that don’t store much data.
There’s still no practical solution for backups. The entire purpose of backing up a database is to restore that database when/if a website crashes. For now, businesses might need to sift through backups to process an RTBF request.
Be ready to face more issues
Backups and customer support issues won’t be the only problems that arise from GDPR compliance. Be ready to tackle more issues as they arise; they’re unavoidable, but eventually there will be solutions.