RTBF: Data In The Wrong HandSeptember 26, 2018GDPR
The GDPR has a broad scope of data in the wrong hand requests and actions available to individuals to enforce onto organisations if they so wish. For instance, disgruntled ex-employees or malicious acts by jealous competitors want to cause maximum disruption making it even more onerous for organisations to hide behind ignorance or a GDPR invisibility cloak from any repercussions for noncompliance.
The very fact that there is the possibility of coming under the spotlight of data protection authorities should be the kick up the proverbial to ensure at least an effort to become compliant.
RTBF – predicted to be most widely used
The right to erasure or “the right to be forgotten” stands to be one of the most predicted rights utilised under the GDPR.
As a busy and stretched organisation, how do you think you would handle such requests? Have you thought about how such requests would influence the day-to-day running of the office?
For example, a malicious attempt to inundate a company with numerous RTBF and data in the wrong hand demands can drain the resources of that company, chewing up valuable finances and time, bringing it to its knees, knowing that failure to comply correctly may result in crippling financial penalties.
We like to imagine that this kind of corporate evil in the world does not exist, but in reality who knows what levels a narcissistic ex-employee or disgruntled customer may stoop to cause chaos.
Of course, there are other, reasonable reasons to submit an RTBF request in accordance to data breach reporting policy against malicious attacks. For example, a candidate for recruitment may have found the perfect job and ask for the removal of all data from the various recruitment agencies with whom they registered.
People who are private by nature may wish to ensure their digital footprint at the bare minimum as possible.
Planning and Preparation
Being prepared and having a plan in place will go some way to help you should the situation ever arise, being proactive will undoubtedly assist the team if they know exactly what to expect and how to deal with any data erasure requests.
A suitable backup plan for all eventualities will give you the power to delete those ex-employees with a flourish, with no comeback, and with some amount of pleasure!
Let us look at the types of data often stored, and that may be subject of an RTBF request:
- There is the request to opt out, or generally unsubscribe in the subject of an email marketing campaign. This type of RTBF request should be inbuilt into your systems and make the process very simple to carry out.
- Another type of request and the more complicated is the time-consuming method of discovery and erasure of relevant data that exists on the database.
Customers with a grudge, ex-employees and hacktivists likely utilise this request as a cyber-attack. These are difficult to manage, and a primary example was the National Lottery DDOS attack last year resulting in downtime at a crucial moment.
Google is currently working its way through 2.4 million valid requests! An organisation inundated with such requests coming in rapidly throughout 48 hours inevitably find it impossible to manage.
Education and training
Begin your strategy by looking at your team. The workforce has to know what to expect in a worst-case scenario, and exactly how to deal with any type of RTBF request.
Across the board, education and training on the correct processes will guarantee stability and preparedness for your company.
The policy for handling an RTBF request must have clear and correct instructions, from how promptly the action to be taken (48 hours is the norm), the team has to know precisely how to discover the relevant data, how to find it and locate any duplicate data.
To assist with this critical exercise, regularly run data discovery exercises to ensure full awareness of where storage of relevant data is. If possible keep the data on one platform for ease of access, and that deletion takes place across all back up stored data.
Run through the process several times as a training and practice exercise to highlight any weaknesses in your systems. Know precisely with whom data is transferred, and ensure they are aware of the RTBF request. It will then be the responsibility of these third parties, but you must inform them of the RTBF request.
Going forward, ensure absolute bare minimum sharing of data to prevent data straying into the wrong hands. Investigate software solutions to assist with the tracking and management of data specifically for this purpose, and it will save a great deal on labour-intensive exercises trying to track down data that is in the wrong hands.
Having these policies and procedures in place alongside innovative technology will give you the power to defend yourself in the unfortunate event of unwarranted or malicious RTBF requests.
Handling legitimate requests is straightforward as is thwarting malicious attempts to try to disable your organisation.