Right to Be Forgotten: GDPR vs. CCPA Compliance

Today, organizations are scrambling to meet and maintain a new data security compliance requirement, the ‘Right to Be Forgotten,’ also known as the ‘right to erasure.’ Right to Be forgotten is a part of both the GDPR & CCPA compliance frameworks that require an organization to erase a data owner’s personally identifiable information upon that data owner’s request.

In line with GDPR & CCPA, if a data owner requests that their personal data be deleted, the business is legally obligated to effectively erase the personally identifiable information associated with that user to maintain compliance.

GDPR Vs. CCPA

CCPA Right to be Forgotten:

  • An organization is required to delete information that it obtained “from” the consumer. If this data is obtained from other sources, it falls outside the scope of the right to be forgotten within CCPA.
  • Under the CCPA, a consumer can request that the data be forgotten regardless of the purpose for which the data was originally collected.

GDRP Right to be Forgotten:

  • GDPR extends to data collected by the organization from the consumer directly or data regarding a consumer that they acquired indirectly.
  • Users can only request for data to be deleted under six specific circumstances.
    • Data is no longer necessary.
    • The processing was based solely on consent.
    • The processing was based upon the controller’s legitimate interest, but that interest outweighed the data subject’s rights.
    • The data is being processed unlawfully.
    • Erasure is already required by law.
    • That data was collected from a minor as part of offering an information society service.

What Happens if a Business Does Not Comply With Right to be Forgotten Requests?

CCPA Non-Compliance Fines:

  • Violations of the CCPA are subject to enforcement by the California attorney general’s office, which can seek civil penalties of $2,500 for each violation or $7,500 for each intentional violation after notice and a 30-day opportunity to cure.

GDRP Compliance Fines:

The Less Severe Infringements:

  • Can result in a fine of up to 20 million Euros or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is greater.

The More Severe Infringements:

  • More severe violations could result in a fine of up to 40 million Euros, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is more significant.

Why Right to Be Forgotten is Challenging For Businesses

We’re finding that organizations are struggling to meet these data deletion requests from users. The reason for this comes down to how organizations are storing and managing personally identifiable data and how they are backing up and proliferating that data.

Challenges Around Storage and Management of Personally Identifiable Information

Frequently, organizations set out to store and manage client data effectively.  But as the organization scales, adding infrastructure and team members to accommodate the growing demand for their product or service, database architecture can fall by the wayside. We often see organizations reporting difficulty pinpointing where all of a given client’s personally identifiable information might reside. This situation is understandable when you consider how many different business silos within an organization, such as accounting, sales, distribution, customer success, etc., need access to that client’s information to fulfill their everyday business requirements.

Challenges Related To RtBF That Arise From Data Protection Strategies

Moreover, as organizations backup their production data, they follow the mantra of copying that data to many different locations such as co-locations, public cloud, or data-warehousing strategies to protect their data from loss and creating an all-new challenge. As we frequently see, after an organization implements a backup & protection strategy, organizations will once again have trouble pinpointing and gaining access to all of the associated data when a user requests that their information be deleted.

How Businesses Can Achieve Compliance with The Right to Be Forgotten

Understandably, organizations are looking for a more efficient way to achieve CCPA & GDPR compliance. Fortunately, Rixon Technology can help.

Organizations that choose to use the Rixon Enterprise Tokenization platform to handle their sensitive data have access to cutting-edge (Patent Pending Technology.) Technology that allows them to maintain GDPR and CCPA’s right to be forgotten requirement. With Rixon Technology’s RtBF (“Right to Be Forgotten”) and RtBR (“Right to Be Remembered”) functionality, the organization can give the data owner back control of their data.

*This post was originally written on January 25th, 2021, and was updated on September 13th, 2021.