It’s All Private!!!! – No Means No…

It can be observed in the Privacy Acts worldwide, that they are not just created for regulating the use of data by organizations but with a very strong intention of customer empowerment. Strong focus can be observed in regard to customer rights over control and management of their own personal / private data in these regulations. In my view, two of the strongest tools in the arsenal are: - Consent - Right to be Forgotten In this part of the “It’s All Private” series we will talk about best practices organizations can follow for these two requirements.

Consent

• Be it HITRUST, GDPR, CCPA or any of the other regulations, it mandates that personal data from the customers cannot be stored by the organization without written consent from customer / consumer.
• Organizations can achieve this in many different methods:
  • Countries where there is a legal requirement for hard copies, the organizations can have download links for forms which the customers can read, sign and then share with the organizations as their consent.
  • The other most accepted and implemented method is have a disclaimer page covering all the necessary terms for consent regarding the storage of data or website cookies and a accept checkbox which once clicked will act as formal consent from the user.
• It is recommended that the terms should include the exact PII data parameters which will be captured and stored. It should also include guidance about how the data is going to be protected and have brief outline of controls which will ensure that the data is maintained with integrity intact and without loss of unauthorized access or theft.
• The organization also needs to provide assurance that the data will not be shared with any other entities without an explicit consent from the customers for the same.
• The Organization should internally have a well-documented and implemented plan to ensure the safety and security of the PII data which will be at rest within the organizational environment.
• Data retention policy and guidelines based regulatory, legal and other law of the land requirements should be documented and implemented as well.

Right to be Forgotten

• Customers giving a consent does not necessarily mean that the organizations have a blanket right to maintain the data with them forever.
• Customers retain the right to exercise their “Right to be Forgotten”, which is simple words is that the customers want any and all of their references of PII data with the organization to be deleted.
• Article 17 of GDPR is “Right to be Forgotten” and is probably one of the most talked of articles among the entire GDPR regulation.
• Organizations need to ensure that they have a link on the website, or an email-id listed for any customer to apply and exercise their “Right to Forget”.
• Every organization must have the following to respond to any such request:
  • Automated or manual response to the customers acknowledging the receipt of the request and informing the expected timeline in which the erasure will happen.
  • Have a documented policy and procedure on identifying and obtaining all the data linked to a specific individual from active storage as well as back-up storage.
  • Have a documented policy and procedure for secure deletion of this PII data, so that it cannot be recovered post deletion.
  • Post-deletion communication procedures with customers informing them about the successful deletion of their data.

Having mentioned the above best practices, would like to highlight, that depending on applicable regulations based on jurisdictions there are some exceptions and exemptions to the both “Consent” and “Right to be Forgotten” requirements. However this requires a detailed analysis of the type of business, type of data collected, region of business etc. for which I would suggest organizations to take help of Data Privacy SMEs from firms like ControlCase to guide and help in the right manner. But other than that, remember if the Customer Says “No” means “No”.