As discussed in a previous post, the new GDPR underlines the importance of the right to be forgotten, to some extent already present in the current Italian legislation. Here we want to think about the technical implications of this requirement. How much can it cost to organizations the right to be forgotten, in a society that increasingly tends to be a unique global network of people and devices anytime and anywhere connected to each other?
Let’s take the social networks as an example. More and more organizations develop more or less formal or structured marketing, communication, surveying strategies on social networks. The problem of data management in such contexts is well known not only to experts in the field. This raises the question: how can an organization ensure that users’ personal data are deleted forever and everywhere, when these users ask for it? To check all the posts, tweet, tags, like, comment is theoretically feasible, but in reality this scenario seems unlikely practiable in view of the amount of data to be managed and the inherently distributed and dispersed nature of social networks.
What to do then? Even such a simple observation highlights the importance of other concepts introduced (or reformulated) by the new GDPR: Privacy by design and Privacy Impact Assessment appear as irreplaceable instruments to set a of personal data management system from the beginning, in order to avoid the occurrence of unmanageable situations in the future.
Mapping data and treatments, building correlation and impact matrices, defining very precise and controllable constraints and flows for the actions granted to users (especially in social networks); these operations appear all necessary activities, however complex, to be carried out in advance when defining a framework of personal data management. The real challenge is to find the key to the problem already in the race, without being able to design it from the beginning: this is in fact the real scenario that the vast majority of European organizations is going to face.
Form all these considerations it raises up again the holistic nature of the GDPR, a regulatory body certainly articulated and to be refined over time locally, but yet revealing an organic and self-consistent framework, hopefully effective in pursuing the objectives of safety and efficiency to which it aims.