News Analysis: Will consumers reach for the data eraser?

Charlie McKelvey, contributing editor, DataIQ

Search engines may have been dealing with right to be forgotten requests for years. Soon, under proposals included in the new UK Data Protection Bill (which mirrors the General Data Protection Regulation) - a new data erasure measure will expand this right to every organisation which holds personal data, from the public sector to social media firms and from multinationals to small businesses.

With most media coverage concentrating on this issue, many are predicting that it is the most likely right that consumers will embrace. This has not gone unnoticed among businesses, with recent government research showing that data erasure is the number one concern among UK firms.

On the surface, it would appear an easy enough task: interrogate your database, identify the data you hold on a consumer and, where appropriate, press delete. However, on closer inspection, there are myriad issues to address, not least actually tracking down the data that companies hold on individuals. While most organisations know where the bulk of their data is stored, rogue caches of information almost always exist.

One solution being put forward is the creation of a single customer view, although according to a recent DataIQ round-table event led by Blueberry Wave, for the majority of companies this remains on their "to-do" list, with the high cost of building a SCV, as well as a lack of clarity about what SCV really means, holding many firms back.

It is a subject which is close to the heart of direct marketing stalwart Julian Berry, whose company Berry Thompson has developed what it claims is an "affordable" cloud-based customer data platform, Unifida. It is designed to sit alongside a business's existing website and systems, and claims to be able to join together all the data a firm holds for each individual and record consents and opt-outs when received via any channel.

"Businesses may have difficulty knowing which systems an individual may appear on."

Julian Berry, Berry ThompsonBut, for those companies which do not have a SCV, where should they begin? Berry says: "In a general sense, businesses do know which systems contain customer data. What they may have difficulty with is knowing which systems an individual may appear on and how to trace them on those systems. Also, it is often the case that one system will feed data to another and so they will need to know all the places where an individual's data may appear. This can include, for instance, websites in which people may register or otherwise identify themselves."

Sheilah Mackie, a partner at law firm Blake Morgan and a specialist in data protection regulations, highlights the fact that many companies outsource their data storage. "Firms need to ensure that anyone processing data on their behalf also deletes the data. If a company has made the data public, they will also need to take steps to make any other data controllers displaying or replicating that data aware of the request for deletion,” she says.

"This all needs to be done 'without undue delay' and at no cost to the consumer, so companies need to make sure they have good processes in place to achieve this, not least making sure consumers are aware of their rights and who might have their data,” explains Mackie.

Not that all data deletion requests will be valid, as Opt-4 director Rosemary Smith explains: "Organisations shouldn’t be concerned that this will allow individuals to wriggle out of contracts or debts. If there is a valid, lawful reason to retain the data (eg, in pursuit of a contract or a debt) the individual cannot require deletion. However, the data retained after one of these requests has been made may have to be minimised so that any non-essential data is removed."

Once that data deletion request has been made, the process of actually ensuring the information is removed can also be highly complex, however. According to a new group - the International Data Sanitisation Consortium (IDSC) - many of the current data deletion methods mean that the information can still be recovered, so they do not fulfil the needs of the right to be forgotten.

IDSC, which comprises experts from the legal, financial and IT sectors, insists there are only three methods to achieve so-called "data sanitisation": physical destruction, cryptographic erasure and data erasure. It claims that data removal methods such as a factory reset or reformatting leave citizen's data at risk of being exposed.

"85% of the data is redundant, obsolete or trivial."

IDSC founding director Richard Stiennon, who is also chief strategy officer at Blancco Technology Group, comments: "A process has to be put in place to properly and securely erase all unnecessary data that could be putting the organisation at risk. When I say unnecessary data, I’m referring to about 85% of the data that’s classified as ROT (redundant, obsolete or trivial) and dark data that could be erased.”

Says Stiennon: ”But this can be problematic without a full process as erasing a single record is hard to do, even after being able to locate all copies. As well as this, a simple delete or remove operation does not securely overwrite the data - organisations need to establish proper data erasure methods to ensure that data really is gone forever. Finally, testing and certifying that the erasure has taken place is even harder to do if a proper solution isn’t in place."

Rosemary Smith, Opt-4Another area of concern is that, with ICO guidance still not available, companies do not know what constitutes a "reasonable time" to store customer information. While Berry believes firms should wait for ICO guidance, Opt-4's Smith is not so sure: "If a charity holds information on someone who ran a marathon for them 10 years ago but hasn’t engaged since, that would be excessive retention. However, the same charity might hold information about those who had pledged legacies for decades."

She notes that the information requirements in GDPR require controllers to tell individuals (probably in the privacy statement) how long they intend to hold data or how they are going to decide on retention periods. Smith adds: "In my experience, almost all controllers hang on to data for too long which just means more to search through when an erasure request comes in."

Mackie, on the other hand, doubts if the ICO will ever give definitive time periods for data storage in future as none are set in the GDPR. She insists it will come down to assessing what data a company is actually storing.

"If a consumer has shopped with a company online or has some kind of ongoing personal account, then the company would be OK to keep that customer data until the relationship comes to an end and for potentially up to six years thereafter to ensure that the company can deal with any complaints that might arise and for tax reasons. That data should be stripped down, however, to the minimum necessary that needs to be kept for those purposes,” argues Mackie.

"Data generated from profiling someone, perhaps from beacon technology in stores, should be kept for much shorter periods if individuals are identifiable from the gathered data. Someone may have installed an associated app out of curiosity or for offers on one particular item or day - say during a Christmas present shopping trip - and the data is possibly not going to be representative of that consumer for very long or at all. Anonymised data should be used instead,” she says.

"It’s vital to create a policy that data is securely erased."

Stiennon agrees that it is essential to determine before collection how long the data will be needed for. For example, is the data needed just to complete a transaction? To track an account? Or is it crucial information needed to complete a permanent record? "Once this process is in place, it’s vital to create a policy that the data is then securely erased at the end of this pre-determined time," he says.

One of the major developments in this area has been the launch of new sophisticated data discovery and deletion tools - with some claiming to be able to delete data after a certain time period, although they do not come cheap. So, is tech the answer?

For most, technology is a very important component, but it is not the be-all and end-all. While agreeing that technology will make things easier and quicker to manage, Mackie points out that the internal culture of a company and its attitude to regulatory compliance and data management is going to be what ultimately decides how well it complies in practice.

Smith concurs: "At the end of the day, data controllers are going to have to get used to a regime where individuals have much more control over their data - which can’t be a bad thing."

And this appears to be the crux of the issue with companies having to show more respect. As the UK Information Commissioner's Office recently pointed out, despite what many people believe, GDPR is not designed to be anti-business, it is all about greater transparency, enhanced rights for citizens and increased accountability.

Those firms which view it as a burden are approaching it from the wrong angle. Through changing their data handling culture, the ICO insists organisations can derive new value from customer relationships - and there can be few businesses out there who would not want that...