Complying with GDPR Article 17 - the 'right to be forgotten'
A new release of Egress Secure Vault – our compliance and analytics tool – adds functionality to support organizations as they comply with the ‘right to be forgotten.’
What is the right to be forgotten?
Article 17 of the EU GDPR is the 'right to erasure.' More commonly known as the 'right to be forgotten', it allows data subjects to request that organisations delete their personal data from their systems.
Organizations are obliged to delete a data subject’s personal information under certain conditions, such as the data subject withdrawing consent to processing, the data being no longer necessary for the purposes for which it was originally collected, or if it has been unlawfully collected in the first place.
Why is it hard to comply with GDPR Article 17?
Complying with the 'Right to be forgotten' is challenging for a number of reasons:
1. Locating the actual data
Personal information resides across networks, archives, emails and within attachments, including when this content is encrypted. Without a way to locate the actual information quickly, it’s impossible to be compliant with Article 17.
2. Deleting data without excessive administrative overheads
Finding the information is one thing. Being able to delete it quickly, without spending too much time manually deleting content, is crucial for meeting compliance deadlines and avoiding being tied up in regulatory obligations rather than concentrating on usual business processes.
3. Proving deletion and demonstrating compliance
It’s not enough to say you’ve deleted information. Auditors and regulatory authorities, not to mention the data subject themselves, may wish to see proof of deletion in order to confirm the request has been carried out.
How can Egress help?
Many organizations use Egress Secure Vault every day to monitor sensitive data sharing, lower data breach risks, and respond to subject access requests. Now, with the release of Secure Vault 1.7, we’ve added support for the GDPR right to be forgotten.
So to comply with GDPR Article 17, you need a way to actual discover the data in question, including across email archives, within attachments and encrypted content. Secure Vault helps you locate sensitive information, with fast search across vast amounts of email data stored in your Secure Vault enabling you to pinpoint every instance of a data subject’s personal data.
It then lets you delete that information from your Secure Vault permanently. Of course, there are strict permissions around carrying out this process, while the whole procedure is recorded in an immutable audit log. This audit log can then be used to demonstrate compliance with Article 17. The whole process can take minutes, rather than the hours or days that it has previously taken organizations to find and erase this information.
What about other GDPR articles?
While the 99 GDPR articles cover a wide scope, Egress accelerates compliance in the following key areas:
- Article 15 “Right of access by data subject” - Workflow functionality enables searching across email stores for compiling subject access requests, including verifying subject ID. Relevant emails and attachments can be exported.
- Article 32 “Security of processing” - Advanced email encryption, data discovery and classification ensure sensitive data is processed securely. AI and machine learning use historical email patterns to protect against the accidental send. Detailed reporting clarifies email security usage, both within internal networks and when sharing externally.
- Articles 33 and 34 “Breach notification” - Organizations have 72 hours to report data breaches and have to notify data subjects without undue delay. Secure Vault provides real-time alerting as sensitive data exfiltrates an organization through email and can assist with investigations if sensitive PII data is leaked through email.
Want to find out more about how we can help with GDPR compliance? Talk to us.