How To Address A Subject Erasure Request

 

Erasure Requests are one of the highest-profile forms of modern data privacy protection. The idea that an individual user can compel a company to delete all traces of their data is powerful, but servicing these requests properly requires a well-honed process and a deeper understanding of what is meant by erasure. Let’s take a step-by-step look at how to process these requests.

Having the right systems to address an Erasure Request fully while maintaining essential business data linkages is a crucial privacy challenge.

What Are Data Subject Rights?

Data subject rights (DSR) are a series of entitlements that an individual or user can legally exercise with respect to that processed data. They gain these rights when their Personally Identifiable Information (PII) is being processed by an organization. Due to a boom in data privacy laws in recent years, honoring subject rights has become a vital operational consideration for any business that processes personal data.

Regulations like the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) and most recently, Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD), oblige businesses that process PII to implement systems to honor data rights. Failure to address this obligation can result in substantial punitive fines.

List of the data subject rights imposed by GDPR, CCPA, and LGPD.

GDPR	CCPA	LGPD
• The right to be informed;  • The right of access; • The right to rectification; • The right to erasure; • The right to restrict processing; • The right to data portability; • The right to object to processing; • The rights in relation to automated decision making and profiling	• The right to notice;  • The right to know; • The right to delete; • The right to data portability; • The right to opt-out; • The right to opt-in (for minors); • The right not to be subject to discrimination for the exercise of rights	• The right to confirmation of the existence of the processing;  • The right to access the data; • The right to correct incomplete, inaccurate, or out-of-date data; • The right to anonymize, block, or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD; • The right to the portability of data to another service or product provider, by means of an express request; • The right to delete personal data processed with the consent of the data subject; • The right to information about public and private entities with which the controller has shared data; • The right to information about the possibility of denying consent and the consequences of such denial; • The right to revoke consent

Before considering how your company can address individual data subject rights, you should make sure that you have a clear understanding of your organization’s existing data infrastructure. You can find out more about mapping the state and flow of this data in our guide to building a company data map.

What is an Data Erasure Request?

Undoubtedly, one of the most important and complex data subject rights is the right to be forgotten. It is also known as the right to erasure (GDPR) , the right to delete (CCPA) or the right to delete personal data processed with the consent of the data subject (LGPD). The right to be forgotten is a legal entitlement, held by an individual, that requires a company to completely erase all of that individual’s personally identifiable information across all business systems. The data subject can exercise this right in practice by making an ‘erasure request’ to the organization that is processing their personal data.

If your organization receives an erasure request, it will have a certain time frame by which it has to respond. This time frame varies between regions. If your company processes data about an individual from a given jurisdiction, then your response time will be dictated by the regulations in place in that same jurisdiction. For example, if you process the personal data of an individual in Brazil then the time that your organization will have in order to comply with their request will be 15 days. For businesses with global operations, we recommend maintaining the same compliance time across all jurisdictions from which you collect data, as this will make privacy management more streamlined in the long run.

List of compliance times and fines for violating the right to be forgotten according to each regulation.

	GDPR	CCPA	LGPD
Data Subject Right	The right to erasure	The right to delete	The right to delete personal data processed with the consent of the data subject
Time given to comply with Data Subject Access Request	30 Days	45 Days	15 Days
Maximum fine if right is violated violated	State bodies can be fined up to €1 million for failure to meet their obligations.  Multinationals can be fined up to €20 million, or four per cent of their previous year’s turnover.	Unintentional violators can be fined up to $2,500 per individual affected, per violation.  Intentional violators can be fined up to $7,500 per individual affected, per violation.	2% of a private legal entity’s, group’s, or conglomerate’s revenue in Brazil, for the prior fiscal year, excluding taxes, up to a total maximum of 50 million Brazilian reals.

Now, it’s time to add an important caveat. When erasing an individual’s data, you do not need to literally erase all the data from all the systems in your business. Rather, you must delete any PII that can link data you have back to an individual identity. As such, you may retain certain fields of behavioral, financial or order data if it is deemed necessary for your business to continue operations (i.e. a legitimate business interest), provided it does not reveal the individual’s personal identity.

This subtle distinction has big implications for how a privacy-compliant business operates. Below, we break down some key considerations that should be made to implement erasure request systems that are compliant with existing data privacy regulations.

Implementing Erasure Request Systems

Receiving a request

An individual may make an erasure request either verbally or in writing. It can be made to any part of your organization and does not have to be made to a specific person or contact point. Accordingly, you should have an internal policy in place that details how to recognize an erasure request, how to record such requests in an auditable log, and how to have such requests appropriately actioned by your organization. A record of erasure requests should be store in an uneditable format once initially recorded.

You should give particular priority to any request for erasure of a child’s personally identifiable information. Data privacy law provides for enhanced protection if the processing of data is based upon consent given by a child. 

Full disclosure and identity verification

If your company receives an erasure request, you must be transparent with the requestor by detailing what will happen to their data when the request is fulfilled. You should always verify the identity of the individual first in order to confirm that they are who they claim to be. Once identity verification is completed, you’ll then need to erase all personal data belonging to that user from your organization’s databases and any systems that contain copies of the data. This includes live systems as well as backups.

Erasing personally identifiable information

Erasure may be possible instantaneously for live systems but may have to remain in a backup system for a certain period of time until it is overwritten. If this is the case then it is necessary to put the backup data ‘beyond use’.
Putting data ‘beyond use’ means that:

• it is not available for use by any individual within your organization in any way,
• it is not accessible by any other organization,
• it is protected by appropriate technical and organizational security &
• it will be permanently overwritten as soon as that becomes possible.

The erasure of data must not be reversible in order for this process to be compliant with data privacy law.

Technical considerations

It’s crucial for any organization to respect a data subject’s rights, but to do that, practical considerations and existing business systems must be taken into account. For many businesses, hard-deleting an individual’s data from a single database can cause a ripple effect across dependent systems, and generate referential integrity issues in your databases that render other, non-personal data unusable.

For example, an online store may use an individual’s email address – a piece of PII – as the foreign key to link to a database with their order info database. In case of an erasure request, they’d need to make the PII, i.e. the email address, unusable without impacting the linked information, i.e. the order records, which may be essential for business inventory and tax records. If an order is linked to an individual’s personal data using a foreign key as the reference point, you may run the risk of making the order data unusable if you simply delete the individual’s PII.

In order to uphold referential integrity while remaining privacy compliant, consider implementing one-way data masking as part of your erasure strategy. This refers to the process of hiding or obfuscating original data with modified content of that same data in a manner that makes it impossible to retrieve. In practice, this means using encryption on or masking the data so that on its own, i.e. without an encryption key or similar tool, it cannot be used to identify the individual to whom it belongs. This removes all personal identifiers and reduces the risk of indirect identifiers being used to connect any stored data to a particular user. This is adequate under the terms of both the GDPR, CCPA and LGPD, provided that the masking is irreversible.

Staying forgotten

As a final part of the erasure process, your company should also make sure that it doesn’t re-collect a data subject’s PII if they have submitted a request in the past. This means putting a data suppression system in place to prevent the processing of an individual’s data where that data is automatically collected or received from third-party data providers. Ensuring that a subject is “suppressed” from business systems means that their data is no longer used in business processes and that they will not be re-included at a later date. In short, it means that the person exercising their right to be forgotten stays forgotten.

If you want to retain the value of your company’s collected data while honoring erasure requests in a seamless and secure way, you can check out Ethyca’s proprietary referential integrity erasure software for the perfect solution.

To find out more about implementing effective systems for data erasure requests or other Data Subject Rights, feel free to reach out to a member of our team at any time.