For IT security professionals, the right to be forgotten, one of the cornerstones of the European RGPD regulation , could ultimately be much more difficult to deploy than expected.
Under the regulation, which comes into effect on May 25, the right to be forgotten goes beyond simply deleting all of a person’s data – after they have made the request. Companies have the option of deleting all relevant data on people or using anonymization techniques to retrieve credentials from their databases and leave data that does not have identifiers for their own use for marketing or research purposes.
If anonymity seems better for companies that do not wish to literally purge their databases, it may also not be enough to comply with the right to be forgotten as registered in the GDPR .
For Marc French, Vice President, Chief Trust Officer and RGPD Compliance Manager at Mimecast, an email security company, the anonymization of all data would not be a panacea touted by others.
Although, in some cases, this may be sufficient, anonymity must take into account all data that is accessible and potentially capable of identifying a person without disclosing their name (such as their telephone number or other data considered “identifiable” ).
Our American colleagues in SearchSecurity (TechTarget group, owner of MagIT) asked Marc French questions about the right to be forgotten and about deleting personal data rather than anonymizing them . Here is his answer.
Everyone in the European Union has the right to be forgotten; this is actually about purging the data I collected in the storage systems. There are some interesting nuances to this, and I will use the word purge.
There has been a lot of discussion about the actual meaning of the word purge, and there are two ways of thinking circulating right now.
Anonymization can equal the purge, for example, if, as Marc French, I address Acme Corporation, whose activity is based on tracking because it is a search engine. Can I anonymise Marc French when asked to keep the data for my own purposes – do I need to understand them to generate my advertising revenue? And is the simple fact of anonymizing them enough to purge, or do I have to physically erase data from the systems?
If you consider for example Google in Europe, I think they can say they prefer anonymity. I think that anonymity poses the following problem: can you sufficiently anonymize the data so that we can not go back to the person concerned?
Is anonymisation feasible?
I think that the argument of anonymisation is not valid because we can now buy enough data sets and cross a lot of information to put together the right information. If you make the choice of anonymization, it may fail quickly because, ultimately, links can be established between all the data.
So we have the purge. Now, the purge is based on the fact that you know all the data collected about a person. If you do not have this key information, you will never really have the ability to delete all the data. And I think this is the case in most companies. So, how can I erase?
The act of removal is very difficult to do, from a technical point of view. So, at the moment, I think the best is the deletion, with the hope of getting more good practice on this issue of anonymization. This will overcome some of the technical hurdles caused by deletion.
This is the fundamental problem of anonymity. The Census Department is struggling with this problem all the time. They are trying to create abstract data sets, and there is a whole scientific process dedicated to that.
With two or three items about your life, outside of your name, I could probably discern who you are with a certain degree of certainty. If I give you my place of residence and my position, you could easily understand who I am.
It’s not just the date of birth and the postal code. There are other data that you could aggregate. Today you can get them for free. You can find them on LinkedIn, for example. With all this, it becomes easy to identify a person. Anonymisation is all the more difficult to demonstrate.