How to Comply with Right to be Forgotten Regulations

If you’ve heard of the concept called the right to be forgotten, it may be in the context of Google and the European Union. In 2012, the European Commission, which is the executive branch of the EU, determined that individual EU citizens have the right to have negative information about them online removed from search engine results. Google wasn’t/isn’t too happy about the decision, but the law is the law.

Now, you may be thinking, how does this impact my enterprise? We don’t operate a search engine, you say. True enough, but with the EU’s General Data Protection Act of 2018, the right to be forgotten (RTBF) concept was enhanced to include the right for EU citizens to have their personal data “forgotten” (either deleted or encrypted) upon request, so that the data can no longer be used for any purpose. A similar provision is included in California Consumer Privacy Act, which went into effect just two weeks ago.

So what’s the bottom line for enterprises? If your company collects personal consumer data, you must be prepared to delete or encrypt it when requested by a consumer. But before you can do so, of course, you need to locate the data. So you also must be able to quickly identify data associated with a specific consumer, even if it is scattered across multiple on-premises and cloud data warehouses, data lakes and other…