/ GDPR

What you need to know about GDPR

Since the rise of data driven companies in the beginning of the millenia increasingly large corporations have harvested money on yours and mine data.

From May 25th 2018 all companies operating or having business in the EU region are eligable to follow the upcoming GDPR standards. GDPR is intended to give back the ownership of data to the consumer from large corporations like Google or Facebook.

This means companies must destroy your personally identifiable data upon request and in addition must be able to give you all data they have collected about your profile.
Google and Facebook do this already with a feature where all data related to you can be downloaded by generating an URL.

Data Breach

Additionally it means the company must monitor and detect any data breach and in case it happens inform the authorities within 72 hours.

In the event of a personal data breach, data controllers must notify the supervisory authority [...] Notice must be provided “without undue delay and, where feasible, not later than 72 hours after having become aware of it.” If notification is not made within 72 hours, the controller must provide a “reasoned justification” for the delay. [1]

Backup

However backups are excluded from the regulations. This is due to the fact that it can be costly to restore and modify backups and even impossible if they are stored on tapes. However you are required to re-destroy all entries or make them non-personal identifiable after a restore. [2]

A possible solution to this problem could be storing a unique ID for every information that could be relevant for a GDPR removal request. Whenever a request is performed you should keep track and use that log when a backup is restored to re-process all requests before the backup is taken into use.

Exceptions

There are a few exceptions to when you can demand removal. One is if your information is necessary for the business to operate. For instance you can't have your personal information removed from your banking, that would make it far too easy to get rid of debt.


  1. https://iapp.org/news/a/top-10-operational-impacts-of-the-gdpr-part-1-data-security-and-breach-notification/ ↩︎

  2. https://www.version2.dk/artikel/du-har-ret-til-blive-glemt-men-ikke-fra-backupen-592420 ↩︎