Complying with the CCPA’s “Right to be Forgotten”
The recently passed California Consumer Privacy Act (CCPA) is still over a year away from its January 1, 2020, enforcement date, but organizations who do business in California are already preparing. California has long been the leader in the United States for legislating on privacy and the security of personal information, but with the 5th largest economy in the world and over 39 million residents, the CCPA is likely to have a global impact. Countries all over the globe are implementing similar laws, from the General Data Protection Regulation (GDPR) in the EU, to regulations recently enacted or under consideration in China, Brazil, and India. The common theme across these laws is recognition of the fact that individuals want greater ownership of their personal information, as well as a stricter requirements for organizations who are collecting and processing personal information.
In an effort to grant individuals greater control over their personal information, the CCPA, as well as the GDPR and Brazil’s recently passed data protection law, the Lei Geral de Proteção de Dados (LGPD), all grant their respective data subjects specific rights when it comes to how their personal information is used, including the “right to be forgotten.” Under the CCPA, this right allows consumers to ask a business to delete any information it has about that individual unless the data is required by the business for one of nine exceptions detailed in the law, such as compliance with a legal obligation. Now is the time to ask if your organization has the right policies and procedures in place to respond to these deletion requests, as well a technological solution for doing so.
Complying with a Right to be Forgotten Request
In the event your business receives a request to have a consumer’s personal information deleted, it’s essential to know ahead of time how your organization will comply given the 45-day window to respond. If you have already taken steps to comply with the right to be forgotten under the GDPR, you’re in good shape, the process for the CCPA is largely the same. If you’re not in scope for the GDPR or you haven’t yet started to address how your business will respond to individual rights requests, all is not lost –you can now take advantage of the experience of the organizations who have gone before you.
Accurate data inventories and data maps are essential for complying with all individual data rights requests and the right to be forgotten in particular. If you don’t know where an individual’s data resides in your organization or what systems process the data, you simply can’t be sure you’ve successfully met your obligation to delete the data or how the associated systems will respond. Additionally, accurate data inventories and maps allow you to pseudonymize personal information, a data protection technique specifically mentioned in both the CCPA and GDPR.
Pseudonymization, replacing sensitive data with a pseudonym, is synonymous with tokenization, replacing sensitive data with a token. Tokenization is a mature technology that has been used to protect payment card information (PCI) for years. Similarly, it can be used to de-identify personal information and reduce the risk to your organization in the event of a data breach. Pseudonymization of personal information using tokenization has particular benefits when it comes to the right to be forgotten.
While successfully deleting an individual’s personal information in an organization’s live systems is not an arduous task with updated data maps and clearly defined procedures in place, it is often very arduous to delete that data from back-up media. Deleting the information from back-ups is important for two reasons – the first is, obviously compliance with the request. The second is to prevent inadvertently restoring someone’s deleted information from a back-up. If you have tokenized the identifying elements of an individual’s personal data, complying with the right to be forgotten is as simple as deleting the mapping between the token and the corresponding data. All that is left in your organization’s back-ups at this point is a set of tokens that can no longer be used to identify an individual - you will have met your compliance obligation across the entirety of your organization’s systems.
John Noltensmeyer, CIPP/E/US, CIPM, CIPT, CISSP, ISA is the Global Head of Privacy and Compliance Solutions for TokenEx. TokenEx is the industry leader for tokenization, encryption, and data vaulting. Follow us on Twitter and LinkedIn.