The GDPR has a broad scope of data in the wrong hand requests and actions available to individuals to enforce onto organizations if they so wish. For instance, disgruntled ex-employees or malicious acts by jealous competitors want to cause maximum disruption making it even more onerous for organizations to hide behind ignorance or a GDPR invisibility cloak from any repercussions for noncompliance.
The very fact that there is the possibility of coming under the spotlight of data protection authorities should be the kick up the proverbial to ensure at least an effort to become compliant.
RTBF – predicted to be the most widely used
The right to erasure or “the right to be forgotten” stands to be one of the most predicted rights utilized under the GDPR.
As a busy and stretched organization, how do you think you would handle such requests? Have you thought about how such requests would influence the day-to-day running of the office?
Malicious RTBF
For example, a malicious attempt to inundate a company with numerous RTBF and data in the wrong hand demands can drain the resources of that company, chewing up valuable finances and time, bringing it to its knees, knowing that failure to comply correctly may result in crippling financial penalties.
We like to imagine that this kind of corporate evil in the world does not exist, but in reality, who knows what level a narcissistic ex-employee or disgruntled customer may stoop to cause chaos.
Genuine RTBF
Of course, there are other, reasonable reasons to submit an RTBF request in accordance with data breach reporting policy against malicious attacks. For example, a candidate for recruitment may have found the perfect job and ask for the removal of all data from the various recruitment agencies with whom they registered.
People who are private by nature may wish to ensure their digital footprint at the bare minimum as possible.
Planning and Preparation
Being prepared and having a plan in place will go some way to help you should the situation ever arise, being proactive will undoubtedly assist the team if they know exactly what to expect and how to deal with any data erasure requests.
A suitable backup plan for all eventualities will give you the power to delete those ex-employees with a flourish, with no comeback, and with some amount of pleasure!
Let us look at the types of data often stored, and that may be subject of an RTBF request:
- There is the request to opt-out or generally unsubscribe in the subject of an email marketing campaign. This type of RTBF request should be inbuilt into your systems and make the process very simple to carry out.
- Another type of request and the more complicated is the time-consuming method of discovery and erasure of relevant data that exists on the database.
Customers with a grudge, ex-employees and hacktivists likely utilize this request as a cyber-attack. These are difficult to manage. A primary example was the National Lottery DDOS attack last year resulting in downtime at a crucial moment.
Google is currently working its way through 2.4 million valid requests! An organization inundated with such requests coming in rapidly throughout 48 hours inevitably finds it impossible to manage.
Education and training
Begin your strategy by looking at your team. The workforce must know what to expect in a worst-case scenario, and how to deal with RTBF requests.
Across the board, education and training on the correct processes will guarantee stability and preparedness for your company.
The policy for handling an RTBF request must have clear instructions, from how promptly the action to be taken. The team must know to discover the relevant data, how to find it and locate any duplicate data.
Regularly run data discovery exercises to ensure full awareness of where the storage of relevant data is. If possible keep the data on one platform for ease of access. And, that deletion takes place across all back up stored data.
Run through the process several times as a training and practice exercise to highlight any weaknesses in your systems. Know precisely with about the data sharing and with whom, and ensure they are aware of the RTBF request. It will then be the responsibility of these third parties, but you must inform them of the RTBF request.
Going forward, ensure absolute bare minimum sharing of data to prevent data straying into the wrong hands. Investigate software solutions to assist with the tracking and management of data specifically for this purpose. And, it will save a great deal on labour-intensive exercises trying to track down data.
Having these policies and procedures in place alongside innovative technology is a must. It will give you the power to defend yourself in the unfortunate event of unwarranted or malicious RTBF requests.
Handling legitimate requests is straightforward as is thwarting malicious attempts to try to disable your organization.
