Briefly

TRANSCRIPT

00:00
Adam Stofsky
We're going to talk about individual rights requests and the right to have data deleted. So let me start with just the idea of deletion. This is also sometimes called the right to be forgotten. Kind of famously, right?

00:27
Matthew Coleman
Yeah, absolutely. That's a very kind of European terminology associated with the gdpr. But the specific language under the GDPR is the right of erasure. In the US we see the right to deletion, and usually we think of it as you have the right to request that your information is deleted. It's not an absolute right, but you do have that right to make the request.

00:45
Adam Stofsky
So before we get into the individual right and a request to have data deleted by an individual, can you just sketch out for us when companies need to delete data just as a matter of course, even if they don't get a request? What are some of those data retention rules? Just broadly speaking?

01:05
Matthew Coleman
Yeah, sure. So generally, there's been privacy principles that date back to the 70s, when the Internet was very, very early stages. The fair Information practice principles had a concept of storage limitation, both data minimization purpose specification and storage limitation, all kind of surrounding the idea that you need to have some kind of business reason to be processing data to collect it. In the first instance, don't collect more than you need, be very clear about the purposes for why you're collecting it up front. And then once those purposes are either no longer valid or you've accomplished those goals, that the information should be deleted. And so the general retention principle is if you don't have a business justification for retaining information, that you should have some kind of automated process or manual process, but better automated to delete that information wholesale.

01:56
Matthew Coleman
So that's the general principle, and that is not necessarily enforced by law automatically, but in laws where there's unfair and deceptive practices, it is a guidepost for organizations that have retained all of their data over the course of their entire histories and then, you know, suffer some kind of data breach. That's usually an aggravating factor in any kind of fines, penalties, or litigation damages. Just because there's data that was compromised that you didn't need, that you didn't have to be holding. And so therefore it was a larger breach with more implications than there otherwise would be. And so generally considered a good practice to go through and think about what. What data are you processing? Do you still need it? Are there other things you can do with it, like aggregate it, de identify it, or just outright delete it?

02:44
Matthew Coleman
That that kind of obligation has been codified in A number of privacy laws, including the GDPR and including the state privacy laws. The idea being that you should be able to articulate some principles as to, you know, how you're deleting data or how you're deciding when data needs to be deleted and no longer retained and communicating that to consumers within your privacy policy. Right.

03:04
Adam Stofsky
So that was like a four minute crash course on like data minimization, storage limitation, purpose limitation, which are all these privacy concepts that relate to when a company has to kind of delete data or not collect it in the first place, but to move into the individual rights, request the rights to have your data deleted. We are now talking about a consumer or an individual going to a company and asking to have data deleted that the company is maybe otherwise legally entitled to hang on to, essentially. Right?

03:35
Matthew Coleman
Yeah, yeah, right. Or that there's an existing consumer relationship between the individual and the business and you know, they've done some kind of transactional history or they have some communications back and forth or you know, it also applies in the like HR context for potential hires or, you know, past employees. And so, yeah, the individual under these privacy laws has the right to request deletion of their data even if, you know, it's very recent history between the business.

04:03
Adam Stofsky
So what has to be deleted? So if I, you know, call up a SaaS company and say I want all my data deleted, does that company automatically have to delete everything? What is the scope of this?

04:14
Matthew Coleman
Right, yeah, so it is thought to be as broad as you can make it, subject to certain exceptions. Right. And so if you get a deletion request, the goal is to delete as much or delete or like I said earlier, obfuscate or de, identify as much of the data as you possibly can. But there are certain exceptions. So for example, if a business has a legal need to retain the data, right. There is either a regulatory retention requirement. We must keep our tax records for seven years in case we're audited, or there's, you know, this is a financial institution and so therefore we have to keep all of our consumer records and communications between, you know, our brokers or you know, other account managers and our consumers for X number of years.

04:57
Matthew Coleman
Like if there's that kind of a retention requirement, then you may not have a deletion obligation. You may be able to retain that, that data. But otherwise, if there is data that you're processing that is not subject to that exception, that regulatory requirement, there may be other exceptions that apply or, but you may also just need to Delete some of that information. Right.

05:20
Adam Stofsky
So what about three? Delete. I mean, I think deleting stuff is pretty hard. I mean, I'm just looking at my own laptop now and it's like I've got email and cloud backups and all these different sort of copies of things. What should people know about or what does the law say about things that like backups or metadata and cloud systems? Is that, and does that provide some kind of, I don't know, excuse to not delete everything? Are there exceptions around metadata? Like how does all that work? Do you have to really make sure you delete everything?

05:53
Matthew Coleman
I mean, so if you have some kind of identifiable record, yes, the goal should be that you do delete it. But you're right, it is very cumbersome and difficult to go into all of your backups, you know, every backup tape. If you backup your systems on a daily basis for the last 90 days, like going through 90 different backups and deleting one person's record from all of your systems, that's a very labor intensive task. So what is a better way to do it? I would say that the law reads in a commercially reasonable standard to your efforts in deletion. And so if you have, you know, production systems that are actively processing data, your active sources of record, go through and delete data from those to the degree that you have to under the law and then everything else that is.

06:35
Matthew Coleman
So say you have, you know, backup systems, have some process in place. So in your disaster recovery or business continuity plan that essentially says if we do ever need to restore from backup, we're going to go through the deletion process again for this individual, we'll have this record of everyone who has requested deletion, when they requested it, and then we'll figure out if we actually need to go through and redelete in that disaster scenario.

07:00
Adam Stofsky
What can you kind offer? Some. This isn't really a legal question, it's more of a, almost like a strategic question or a social question about how to talk to a customer about deletion when they make a rights request, kind of being truthful and without over promising. Like what do you say and what do you not say?

07:21
Matthew Coleman
Yeah, I mean the goal is to be transparent, right? Like if you are going to leverage exceptions that apply, like in California in particular, in the regs, they say that you do need to share that information with the consumer if they do request, if you say you're going to deny their request in whole or in part, you need to say why. So, you know, there are certain information that's subject to an exception because we have legal rights that we need to defend or because we have other legal retention obligations. You know, making clear that there are certain data that you're going to be retaining and, you know, everything else, you have honored the request as much as you possibly can.

07:57
Matthew Coleman
So, you know, the goal is to be transparent, kind of satisfy that requirement, and then, you know, also in a way that honors the request. Because what happens sometimes is you have individuals who, you know, they want all of their data deleted and they don't really understand that there are exceptions that apply. And so, you know, it could cause a little bit of friction if you aren't careful in how you're wording the fact that exceptions apply and that you have legal obligations or, you know, other justifications for retaining some of the information.

08:27
Adam Stofsky
So it's pretty important to just be on the same page between, you know, customer service teams, legal teams, sales marketing, you know, kind of customer success renewal teams, if your company has one, or on how the company handles these kinds of requests, what they can do and can't do, and be very transparent and honest about it.

08:44
Matthew Coleman
Yeah, I think so. And there may be other, like, operational implications of a deletion request. Right. So if someone has just recently conducted a transaction or, you know, has paid for a subscription service and then submitted a deletion request, like, you may have an obligation to give them the service for the duration of, you know, whatever it is that they paid for until their next subscription term comes up. And so working with your operations team to communicate with the individual, like, are you sure? Are you sure that's what you want? Because there are financial implications of us honoring this deletion request. And there may be either a path you go where you just reject that kind of a request, or if the consumer is adamant and you treat it more like we're going to unsubscribe you from the service and then delete your information.

09:31
Matthew Coleman
And you maybe out some money that way. But yeah, there's going to be a communications element that's associated with it and everyone should be on the same page.

09:38
Adam Stofsky
Last question for now. How much time do you have under these laws to delete data after a request is made?

09:44
Matthew Coleman
Yeah, depends on the law. Some laws are 30 days, some laws are 45 days. Usually you have a right to extend at least request one, maybe two extensions of those same time periods. But it's pretty quick. It's pretty quick. Especially if you're an Organization that uses a lot of different, you know, SaaS, applications that may be storing data and maybe communicating with one another. If you don't have one kind of, you know, data lake or data management platform that's the single source of truth for all consumer data, then it may be a challenge to go through and especially manually delete all the information from all those various systems. So having a process in place or some kind of automated tooling to be able to respond to requests in a timely fashion is pretty important.

10:28
Adam Stofsky
So it sounds like deletion maybe more than other rights requests. It really requires some kind of cross functional collaboration. It sounds like actually legally it's not that complicated, but maybe from a technical standpoint it could be quite complicated depending on the company and how they handle their data. Would you agree with that?

10:47
Matthew Coleman
Yeah, I would agree with that. I would say that it can be complicated in terms of like business risk of over deletion. Right. Like you may need some of those records to be able to defend your rights or you know, just record keeping purposes for whatever reason it might be. And so drawing those lines of what needs to be retained and why and can we live with, you know, like higher level abstracted data, like aggregate data instead? Like those are kind of the balance between legal and operational types of questions that it's a multi stakeholder effort to figure out. And it's tough to do that in a 30 day window. Right. Like putting some advance effort.

11:22
Matthew Coleman
If you're anticipating, you know, getting more than one of these every five years, you know, it may be worth time getting those teams together and kind of figuring out what the rules of the road are going to be.

11:32
Adam Stofsky
Yeah, well, very interesting. Thank you, Matthew, so much for this summary of the right to deletion, the right to be forgotten under data privacy law. Thank you.

11:42
Matthew Coleman
My pleasure. Thanks for having me.

11:44
Adam Stofsky
All right, take care.