News/Trends, Tech/Engineering, Product

GDPR: You Have to See it to Delete it

Andrew Nielsen, CISSP, CISA, ISSAP, ISSMP, CCSK

The General Data Protection Regulation (GDPR) is has become a driving force, pushing organizations to begin having very difficult conversations about deleting data. In case you have been living under a rock for the last couple of years, the world changed on May 25, 2018 when GDPR went into effect. Most organizations don’t delete data as a standard practice and can’t even begin to have that conversation. This may be because they don’t know where all their data resides or maybe they aren’t sure whether they can delete it for regulatory or other reasons. But with GDPR, organizations are required to delete specific data upon request and identifying that data will be one of the biggest challenges.  (Actually deleting it may be another challenge, depending on where it is.)

Download White Paper: The GDPR Deadline Has Passed. What Should You Do?

A quick read of Article of 17 that defines the “Right to Erasure” (a.k.a. The Right to be Forgotten) has now given data subjects the ability to force organizations to stop processing their information and, more importantly, remove that data altogether. While this article works great on paper, the process of deleting data in the face of modern IT architectures is a rather daunting task. When the bulk of corporate data lived solely in the data center, the act of deleting information was a process that took place within a much smaller domain. Fast forward to today where over 50 percent of data is created on mobile devices or lives in large cloud data lakes outside the traditional data center and application architectures. In this new paradigm, what can organizations do to comply with Article 17?

What do you need to do?

First and foremost, organizations need to get a handle on where all their data resides. Whether it is on traditional computing devices like desktops and laptops, mobile devices, or cloud applications, GDPR does not discriminate with regards to the requirement to remove data. This type of data visibility starts with a data protection solution that can perform the following:

  1. Back up data from all these disparate sources
  2. Provide search capabilities for all instances, of data within these sources
  3. Selectively and defensibly delete information with a complete audit trail to prove to the data subject and any auditors that the data was actually deleted

It is often said in the security space if you can’t see it, you can’t protect it. When it comes to GDPR, the game has changed. If you can’t see it, you can’t delete it.

To learn more about getting your organization ready for GDPR, access this analyst report: A Practical Guide for GDPR Compliance