Introduction

Today, organisations are scrambling to meet and maintain a new data security compliance requirement, the right to be forgotten, also known as the right to erasure. Right to be forgotten is a part of both the GDPR & CCPA compliance framework right to be forgotten, and requires an organization to complete deletion requests upon the data owner’s request.

 

In line with GDPR & CCPA, if a data owner requests that their personal data be deleted, the business is legally obligated to effectively delete all of the associated personally identifiable information associated with that user to maintain compliance.  

 

GDPR Vs. CCPA: How They Differ regarding Right to be Forgotten?

 

CCPA Right to be Forgotten:

  • Only required to delete information that it obtained “from” the consumer. If this data is obtained from other sources it falls outside the scope of right to be forgotten within CCPA.

 

  • Under CCPA a consumer can request that the data be forgotten regardless of the purpose for which the data  was originally collected.

 

GDPR Right to be Forgotten:

  • GDPR extends to data collected by the organization from the consumer directly or data regarding a consumer that they acquired indirectly.

 

  • User can only request for data to be deleted under 6 specific circumstances
    • Data is no longer necessary
    • The processing was based solely on consent
    • The processing was based upon the controller’s legitimate interest, but that interest is outweighed by the data subject’s rights.
    • The data is being processed unlawfully.
    • Erasure is already required by law.
    • That data was collected from a child as part of offering an information society service.

 

What Happens if a Business Is Found To Not Comply with the Right to be Forgotten?

 

CCPA Compliance Fines

  • Violations of the CCPA are subject to enforcement by the California attorney general’s office, which can seek civil penalties of $2,500 for each violation or $7,500 for each intentional violation after notice and a 30-day opportunity to cure have been provided.

 

GDPR Compliance Fines

 

The less severe infringements:

  • result in a fine of up to $20 million or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher. 

 

The more severe infringements:

  •  These types of infringements could result in a fine of up to $40 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher

 

Why Right to be Forgotten is so Challenging

Today, we’re finding that organizations are struggling to meet these data deletion requests from users. The reason for this comes down to how organizations are storing and managing production data and also how they are backing up and proliferating that data.

 

Challenges Around Storage and Management of Personally Identifiable Information.

Oftentimes, organizations set out to store and manage client data effectively but as they scale, adding infrastructure and team members to accommodate the growing demand for their product or service, database architecture can fall by the waist side. We often see organizations reporting that they have a tough time pinpointing where all of a given client’s personally identifiable information might reside.This is understandable when you consider how many different silos such as accounting, sales, distribution, customer success etc. etc need access to that client’s information to fulfill their everyday business requirements.

 

Challenges That Spur From Data Protecting Strategies:

Moreover, as organizations backup their production data, they follow the mantra of copying that data to many different locations such as co-locations, public cloud or data-warehousing strategies to protect their data from loss. This creates an all new challenge. Oftentimes, after setting in place a backup & protection strategy, organizations will once again have trouble pinpointing and gaining access to all of the associated data when a user requests that their data be deleted.

 

Achieving CCPA & GDPR Compliance With Regard to Right to be Forgotten with Rixon

Understandably, organizations are looking for a more efficient way in achieving CCPA & GDPR compliance and Rixon Technology can help. 

 

When organisations choose to use the Rixon Enterprise Tokenization platform to tokenize their sensitive data, they also get access to some cutting edge levers that allow them to maintain GDPR and CCPA’s right to be forgotten requirement as well. With Rixon Technology’s RtBF and RtBR or Right to be Forgotten and Right to be Remembered, the organization can actually give the data owner back control of their data. How does this work?