Data deletion & right to be forgotten
Shaik Idris, Director of Data Platforms at Zeta, was part of a roundtable discussion at Rootconf’s Data Privacy Conference held in April 2021. The roundtable was moderated by Venkata Pingali from Scribble Data and included Sreenath Kamath from Hotstar.
The roundtable focused on handling data deletion practices in engineering and product.
Why is data deletion important?
In today’s data-driven world, user data is very valuable. We have a number of cases where user data has been misused or leaked. Maintaining customer satisfaction and trust is critical for any company. Data deletion ensures a customer’s data cannot be used for anything else apart from the intended purpose.
What are the legal obligations of a company when it comes to data deletion?
The law requires companies to inform customers why they are collecting data from them and where it will be used. It also requires companies to provide customers with the:
- Right to know what information the company has about them.
- Right to ask the company to delete any personal information they have.
Retrospectively making a company General Data Protection Regulation (GDPR) compliant is impossible. This is because a lot of existing companies ignore the first principle of GDPR, privacy by design. New companies have the flexibility to model data from the onset to ensure they are compliant with the regulations.
What is realistically possible in a complex, evolving organization?
Steps companies can take are:
- Identifying data sources. This problem is especially big in startups.
- Streamlining the data model. Customer data should be treated and managed as master data. A lot of companies do not do this.
- Don’t use personally identifiable information (PII) such as phone number or email address as your primary key.
- Ensure you always use structured data sets.
- Use proper naming conventions for columns and variables.
- Have processes to avoid internal data leaks.
Can we use tools to help implement the above suggestions?
Tooling helps. We can use tools to scan data sources to identify and flag inappropriately named columns or even auto tag all instances where customer data was stored. However, for tools to be effective, companies should have dedicated data stewards for each data domain.
How can you say that you have realistically implemented delete?
First, we must differentiate between what data a company should retain for audit purposes and what data can be deleted. For example, financial institutions are required to retain information for 7 years for audit purposes. Information collected for marketing purposes, on the other hand, can be deleted.
Few things companies can do are:
- Collect the data you need. Keep this as minimal as possible.
- Unless required by compliance, do not retain data. Any data you retain is a liability.
- Anonymize PII in data sources.
- Guard your communication channels and maintain a list of users who want to be forgotten.
The law allows users to discover what a company knows about them and ask companies to delete their personal information. There is ambiguity about what it means to delete information. The law requires companies to demonstrate that they have tried to delete a user’s personal data. This is not possible if companies have an uncontrolled, undisciplined data environment.
Companies can use tools to ensure the proper handling of customer data. But, as the saying goes, prevention is better than a cure. By collecting only the required data and deleting data that you are not required to retain, companies can avoid the hassle of data deletion and data leaks.
About Shaik Idris
Shaik Idris is an experienced architect and proven leader in the field of BigData and Cloud. He has worked in top startups, product companies, and with open-source codes for over a decade. He has helped companies build high-performance teams and data organizations from scratch.
Zeta — is rethinking payments from core to the edge, algorithms to form factors, applications to solutions. Having built a modern stack that Financial Institutions (FIs) can use for debit, credit, and prepaid cards, loans, authentication, and Fraud and Risk Management (FRM), Zeta invites you to join their journey in democratizing payments. Check out the openings on Zeta’s career page: https://www.zeta.tech/in/careers
Speaker: Idris Ali