Author: Gregor Bieler, Co-CEO at APARAVI
According to the GDPR, companies are obliged to answer requests for information and deletion promptly and truthfully. According to Article 15 of the GDPR, every person has the right to information about any data stored about them and, according to Article 17 of the GDPR, the right to have this data deleted, i.e. the much-cited “right to be forgotten”. Article 18 of the GDPR also grants the right to restrict the processing of personal data. But only very few companies are well prepared to process such requests quickly and correctly. Instead, they poke around in the data swamp in a hectic and disorganised manner.
Lost in the dark data swamp
It is not without reason that the jumble of vast amounts of unstructured data is also known as dark data. No one knows exactly what and how much personal information is hidden there among duplicate PDFs, old emails and Office documents that have become superfluous. How is it possible to provide information in such a legally sound manner and with reasonable effort? There is the threat of hefty fines, legal fees and loss of reputation. But this does not have to be the case. It is possible to react quickly, correctly and automatically to requests for information and deletion:
- early risk assessment: previously unknown risks can be analysed and minimised at an early stage through a comprehensive data inventory. Obsolete, redundant and superfluous data is recognised and removed from the data inventory, personal data is identified, analysed and made transparent. This also enables the privacy impact assessment according to Art. 35 of the GDPR.
- rule-based deletion concepts: The GDPR provides fixed rules for handling data and deleting it in a timely manner. Deletion concepts must map these rules 1:1 and document the results. This ensures that exact, legally watertight information can be provided at any time upon request.
- Automated deletion processes: Unstandardised deletion processes are error-prone and time-consuming. It is safer and more efficient to automate the deletion processes, which can then run constantly in the background. This also ensures that the new or changed files flowing in daily are automatically captured by the purge criteria at a defined point in time.
- optimal use of resources: employees have better things to do than spend hours searching for personal data. Companies dread such unproductive tasks. Automated data inventory and deletion is far more efficient and accurate – plus it’s far less error-prone than manual work.
- GDPR-compliant information security: Professional, comprehensive data protection management with automated processes makes it possible to process requests and deletion requests quickly and correctly. In this way, companies protect themselves from risks and costs worth millions that can arise from DSGVO violations.
The next request for information or deletion can arrive tomorrow. Managers who are ill-prepared for this risk their own heads and necks. There is the threat of fines amounting to millions. So it is high time to act. Intelligent, automated data inventory tools are a valuable aid in minimising these risks and at the same time separating value-adding information from superfluous data ballast.