I love the Jason Bourne series. Ludlum’s classic was one of the first thrillers I read as a teenager and I was completely hooked. The entire concept of amnesia in that thrilling, assassin-espionage environment created a phenomenally dramatic experience, popularized by Matt Damon playing the character more recently on the big screen.
The main character, Jason Bourne, is a clandestine operative who is shot and left for dead only to survive with a severe case of amnesia. He doesn’t know his family, his friends, his contacts, where he has been, what he does for a living, nor anything else about his life up until that day he was shot.
Unfortunately, this same amount of thrilling drama is about to play out for every company subject to the GDPR.
Thanks to Article 17 of the GDPR, Right to erasure (‘right to be forgotten’), the same amnesia is about to afflict every business that receives a withdrawal of consent or a notice to erase data about an individual or data subject. Specifically:
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
The problem is, if the company or data processor receives this notice, and follows through with that request, then it is likely that the processor will have no long-term memory of the data subject to allow for continued compliance with the request. (Stay with me here…)
Let’s imagine there is an offer for 35,000 reward or air miles with the purchase or successful application to a particular offer from a company, or a credit card. I get one or two of these a week that I know of (my wife usually throws them out before I get home each day). Next, I apply for this card, but it clearly stipulates, that I can only apply once for this card, and I agree. I get the card, and a few days and hoops jumped through later, I get the miles.
Then I call the company, ask for all of my data to be deleted under the GDPR Article 17. The company complies.
I then re-apply for the card.
To the company making the offer for “first-time” buyers or “one-time only promotions” there now is absolutely no record of me in their database by which they can check to see if I have ever applied for the card before. So, I get the card.
And then I do it again.
Within a few months, I could have accumulated a few hundred thousand promotion points pretty easily. See the problem? Amnesia, or law induced long-term memory loss, in this case, is caused by adherence with the GDPR mandate. This is not intended and it opens companies with specific business offers or policies to manipulation by forcing them to have “no memory” of any kind of an individual data subject.
But let’s consider a less “scammy” example. Let’s examine an imaginary “Company XYZ” who is a business that is processing the data of a data subject. Further, this processor receives or gathers their data about data subjects from dozens or hundreds of different sources. This is a very typical scenario for most businesses and really is just a question of scale from one business to another. For Company XYZ, let’s assume they are a midsize company with a few thousand consumers as customers. That could be a chain of delicatessens, an online widget company, or even a youth sports camp business (they have thousands of customers too). For our example, Company XYZ, let us assume that they gather data on subjects through purchase information, account creation, sales processing, social data, blog or product commentary, online reviews, abandoned checkout data, and cookie data. For massive, global companies, this active and passive data gathering machine is infinitely larger and complex.
Next, let us assume that I, as a consumer, have reached out to Company XYZ and asked for my data to be removed under Article 17. Company XYZ complies in a timely manner and removes all data relating to me, including the email itself that requests the removal. To accomplish this, Company XYZ must take my account number, identifying data, or email address and cross-reference this against all the different databases under their control. From here, they identify each record (or row) in their data tables that match my identifying information and delete the data.
From a literal perspective, the company has complied with the request of the data subject, but it is not clear what the ongoing obligation exists, if any, for Company XYZ to continue to remove my data from their database. The very day after the deletion request is carried out, I may browse the company site again or even think about buying something from Company XYZ, only to abandon at the shopping cart. Also, my personal record is transferred by a consumer data aggregator to Company XYZ because I have similar “personal preferences” to other clients of Company XYZ.
In other words, literally a moment following the deletion, my personal record can and will be recreated in the datasets of Company XYZ, and to be fair to Company XYZ, the law doesn’t really give them an alternative.
In the data industry, what I am describing is commonly referred to as the difference between data deletion and data suppression. With deletion, the problem of re-introducing data that is not necessary or supposed to be under the control of a business is very common. Amnesia is caused by removing entire data records, which only creates the problem of not being able to compare records with “delete requests”.
Suppression, on the other hand, is the commonly accepted methodology to handle “deleting” data in an on-going manner. With suppression, a record is usually added to a “suppression table” where the identifying information is accessible in an ongoing manner. From there, the company processing data can, and will, on a regular basis analyze their data across their company for any records that have a match in the “suppression table”. If they find one, they remove that record or further “flag” that row to ensure that the data is never used nor passed on.
There are pros and cons to both methods, deletion or suppression, but when it comes to maintaining an ongoing adherence to the spirit of a removal notice, suppression is not only superior, its the only viable approach.
We will dive deeper into the reasons for data suppression in future articles to analyze the benefits of this approach.