Are you ready for the right to be forgotten?

I recently opened a marketing email from a UK retailer, addressed to me by name, it extolled the virtues of a new range of lip-gloss products, encouraging me to ‘Get the look: pout and go’. I have had a loyalty card with this retailer for many years, and use it regularly. Yet despite this they evidently still cannot correctly identify my gender. This made we wonder what other data quality problems this company has.

If large, sophisticated companies, which hold my personal information, cannot validate such basic customer attributes, how will they deal with more complicated regulations such as the recent ruling by the European Court of Justice (ECJ) on the ‘right to be forgotten’?

The ‘right to be forgotten’ was established across Europe following an ECJ ruling earlier this year, stipulating that individuals can request search engines to stop returning results which contain information that is out-dated, irrelevant, or excessive when searches are performed on their names. Furthermore, when companies initially collect data, they are required by law to inform individuals that they are doing so and how the information is to be used.

The impact of cloud data storage

Every day in Europe, businesses, governments and individuals transfer vast amounts of personal data across political borders. Customers are becoming increasingly interested in where their data is going and how it is being used. Rulings such as the ‘right to be forgotten’ are a reflection of this trend. The ECJ is affirming in no uncertain terms that the data your company holds is ultimately your responsibility; and if customers consider it to be inaccurate, or used inappropriately, they have the right to demand every entry be erased.

> See also: How will the EU’s right to be forgotten work in practise?

Service providers need to better understand the scope of the regulations and, even more importantly, implement operational steps in order to avoid large penalties. If you think that the EU’s current regulations are amongst the toughest in the world now, wait until the new regulations bite.

Let’s look at cloud service providers as an example. Cloud is indisputably a radical game changer as it can provide more efficient data storage for companies seeking to store large amounts of historical data, which in industries like telecoms and utilities is often required to be maintained by law. Operationally, the ‘right to be forgotten’ requires companies to have an improved understanding of what type of data is held and where. This was a hard task for companies when they maintained their own servers but ensuring that your cloud partner is adhering to these requirements is potentially even more challenging. It requires a formal commitment to data governance where a company sets data policies and assigns responsibility for ensuring high levels of data quality and associated processes.

Moving to a governed environment

Regulatory bodies have set the framework – but are companies prepared for compliance? A recent report from Skyhigh Networks suggests that only 1 per cent of data service providers are prepared to comply. If companies cannot effectively ‘forget’ a customer within 72 hours, they will face significant penalties – namely fines up to €100 million or 5 per cent of their turnover. The onus is now on companies to conduct a risk and compliance assessment, which asks the fundamental question: are we compliant? And, if not, what can we do to get there?

The key to being prepared for the ‘right to be forgotten’ is a robust and documented approach to data governance that assigns roles, accountability and processes for how data is to be handled in the event of a request to be forgotten. This also needs to be able to cater for other data requirements, such as validating the gender of your customers before marketing to them. Data governance would enable businesses to answer key questions such as:

  • Where do we hold personally identifiable information?
  • Who within the company ‘owns’ this data?
  • Who is accountable for its quality?
  • What processes do we have in place to validate it?
  • How can we ensure our cloud providers understand and adhere to our data governance requirements?

Data quality implications of ‘right to be forgotten’

In most large organisations, data lineage is generally lacking as a concept. Data passes from one system to another, often incorporating tens or sometimes hundreds of systems, in increasingly complex interconnections to support business processes. All too often little consideration is paid to the path sensitive customer data takes and its lineage is rarely documented, leading to uncontrolled multiple copies of customer records.

> See also: All at sea – what the reevaluation of Safe Harbour could mean for your cloud

In addition, we continue to see the proliferation of data silos, particularly when customer records are spread across systems. If, for example, a customer has multiple relationships with a bank such as a mortgage and a current account the need to ensure sophisticated and automated matching processes that can connect the holistic view of a customer is essential if firms are to be able to cost-effectively and rapidly respond to the ‘right to be forgotten’. Trying to achieve this upon a customer request to be forgotten isn’t realistic in 72 hours.

The starting point for any data governance initiative is a thorough data profiling exercise that allows a company to drill down into its data to understand its quality, structure, integrity and the interrelationships that exist. This step provides a starting point for the development of data quality business rules that can correct and improve data in an automated way to adhere to governance policies. Once rules are in place a process can be established for monitoring key performance indicators over time so business rules can be adjusted to keep data quality high.

The final word

In order to achieve compliance with the ‘right to be forgotten’, companies must address this regulation and compliance up front, integrating it into business-as-usual data operations. Secondly, they must clearly understand the types of data being stored in the cloud. Personally identifiable data demands more stringent focus and monitoring than most other types. Thirdly, multinational companies must ensure they develop expertise across geographical borders to comply with varying national regulations. Lastly – if not already doing so – Data Governance professionals need to actively engage with their company’s cloud strategies to ensure providers are playing by their rules. I’d start now.

Sourced from Nigel Turner, Information management strategy, Trillium software

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Data Privacy
Data Protection