Why ‘right to erasure’ is stopping companies from complying with GDPR

Why ‘right to erasure’ is stopping companies from complying with GDPR

Time may be relative, but most people will agree that whether you’re launching a business or planning a wedding, two years is a lot of notice, and enough time to adequately prepare for most things. Or so it would seem.

But when the General Data Protection Regulations (GDPR) were first announced in April 2016, the European Union gave companies two years to put together a plan. Fast forward to May 2018, when those regulations were officially rolled out, and the majority of companies were and still are failing to comply.

What happened? Why is it that a survey from the first three months following GDPR’s formal enactment shows that 70 percent of companies aren’t compliant? Is it that the regulations are that hard to follow, or is it something else?

To be sure, some companies aren’t yet compliant simply because they ignored the deadline, believe GDPR doesn’t apply to them, or haven’t gotten around to putting their plan into action. But for some the deterrent to GDPR compliance is fear.

Along with new demands for companies with regards to data governance, GDPR introduced a new concept: The right to erasure. This right to be forgotten allows customers to demand their personal data be erased at any time and mandates that companies have 30 days from a customer request to compliance.

But what happens to the system at large when data is erased? How does a company function when one of its largest assets—the data it holds—disappears? Not knowing the answer is terrifying for some. So much so that some companies are capable of complying, but are choosing not to, believing that the fines associated with risking non-compliance are preferable to risking their data.

Understanding the data

Look at any database, and you’ll see two parts: the data itself and the field name or metadata. If you take an individual database, things are fairly straightforward—each field has a name, and each field is input with data.

But what happens in an organization where several databases exist, built by different people and used by different departments? How does a company understand what data they have when one department uses dropdown options to show their customers’ professions, and another one uses a free-text field? Just mapping their data and getting a full picture of what they have and how it all interconnects is a Herculean task for most organizations—one that many don’t have under control.

On top of that, there’s the additional problem of masked fields, which obscure the field name in order to protect sensitive data, which even some employees may not have clearance to know. When it comes to the big picture of data organization, masked fields create an even bigger mess, as identifying what’s in each field and how it matches to fields in other databases becomes nearly impossible.

But when GDPR comes into play, with requests to delete data, having that data unorganized could lead to disaster. Without understanding how the data is mapped—or in the case of masked fields, what fields are being looked at—then it’s not necessarily understood what’s being deleted.

Deleting a field without knowing the web to which it’s connected could lead to incorrect reports, incorrect data, and a domino effect throughout a company’s entire system. In other words, GDPR simply adds another obstacle to a system that’s not fully understood by most organizations.

While most companies likely have the ability to locate the requested data and press a button to delete it, without knowing the effects that decision will have, they may simply be choosing not to follow through.

Data as an asset

But there may be something bigger in play as well, which is that for most companies, data is an invaluable asset. In today’s world, almost every business decision that’s made—from how to redesign a website to where to open a new headquarters—is data driven.

And every department, from marketing to customer support, relies on data for optimization. But in order to make data-driven decisions, we need the data to back them up. So what happens when GDPR requires companies to erase a valuable asset?

Without knowing their customers’ profiles and preferences, from gender to clothing size to whether they have any pets, companies are less equipped to make smart decisions.

Not only that, but the moment the option to be erased exists and is acted upon, it creates inaccuracies in the data that is reported, which then skews the business decisions made, and ultimately weakens the organization as a whole. It’s no wonder then that for some companies, the fines associated with non-compliance may be a safer bet than proper compliance.

At the end of the day, there will always be companies that look at GDPR and decide that they’d rather risk non-compliance than risk their most valuable asset. But as the first fines levied are expected early next year, companies may begin to change their tune.

Fortunately for the organizations that are interested in compliance, having a strong handle on what data they have, how it’s mapped, and how it flows within the system can go a long way in easing the fear that data erasure may bring.

Read next: Moonday Mornings: Dark Web Bitcoin transactions doubled in 2018