Organizations must act to safeguard 'the right to be forgotten'
The 'right to be forgotten' is considered to be a fundamental human right by various governments, and recent legislation such as the General Data Protection Regulation attempts to establish this right for European citizens.
Often, implementations of these regulations have revolved around search engines and the right of users to request that search results be removed because they are no longer necessary or have a rightful objection to its existence.
However, the recent Facebook and Cambridge Analytica data scandal and a series of large scale breaches has recentered the discussion on the privacy implications of this right. Privacy advocates have renewed their calls to enable account and personal data removal from social media and other online services.
This seems to have broad support; most people agree that the right to be forgotten should allow users to remove accounts and material that they have created in the past—but this assumed right presents difficulties for today’s enterprises.
The immediate need is clear—the capability to delete accounts and any associated personal data. But this is not as simple as it might first appear. Organizations are loath to give up data—it helps them improve their own business models, and quite frankly, it is profitable. One only needs to look at the recent reselling of user information to third parties to realize its value. Enterprises, then, would need to be compelled to part with what it perceives as valuable—and governments are attempting this with legislation such as GDPR.
Beyond the necessary business case, however, lie technological challenges. While many online services have built in deletion and removal options, lingering personal data is a different matter. If this personal information is located in an application or structured database, then the process is relatively straightforward—eliminate the associated account and its data is also removed. If the sensitive data is in files—detached from applications governed by the business—then they behave like abandoned satellites orbiting the earth, forever floating in the void of network-based file shares and cloud-based storage.
If the right to be forgotten is to be realized, then a key task is locating that personal data and enabling its deletion, thus ensuring the privacy of the end user.
As our online identities continue to expand and proliferate online, we must work to safeguard what we consider fundamental rights. The right to be forgotten—to choose to withdraw from online services without leaving our personal data behind—is a key cornerstone in our privacy foundation.
Organizations who value their customers’ privacy will value the right to be forgotten and will take measures to locate and protect their sensitive data.