GDPR: Right to Erasure or "Right to be Forgotten" Process and Considerations

Overview

The General Data Protection Regulation (GDPR) is a legal framework that sets requirements for the collection and processing of personal information for individuals living in the European Union (EU). All organizations that collect or process information about EU residents must abide by these requirements. More information can be found in the Slate GDPR Resource Guide. 

When a person requests to be forgotten, there are two options to fulfill the request: 

  • Delete the record, including all associated identifiable data. 
  • Anonymize the data by creating a record with pertinent (non-identifiable) data points to represent the forgotten individual, and then delete the record. 

Why Anonymize Data? 

Anonymizing data may be more palatable than deleting a record outright due to the effect on longitudinal reporting. By deleting records without incorporating the data into an alternate or "dummy" record, reports and metrics can be modified, and therefore become less accurate.  

Ultimately it is up to you, your leadership, and your legal team to determine the best option. 

Anonymizing Data 

If it is decided that a record wishing to be forgotten will be anonymized, the anonymized data points (such as Entry Term, Application, and Student Type) to be brought over to the alternate record must be decided upon. These data points must comply with the GDPR requirements in that they cannot contain personal data (information that can be used to directly or indirectly identify a natural person). 

To determine the data points that are considered personal or identifiable, work with your legal counsel. Technolutions is not responsible for determining the data points that can and cannot be kept in a Slate database to comply with GDPR. 

To anonymize data: 

  1. Export the pertinent (non-identifiable) data points from the record to be forgotten using the Query Tool. 
  2. Create an alternate record using a fake name and date of birth. 
  3. Import the non-identifiable data points to the alternate record using Upload Dataset. 

Deleting Records 

Slate stores a lot of information associated with a single record. This information is stored in a myriad of tables, and any of these tables could contain personal data. To ensure that all of the personal data is removed to comply with GDPR, remove the records for people requesting to be forgotten with the Retention Policy Editor rather than by opening the individual record and deleting it manually. This comes into play primarily when the record has an Application that must be deleted, since the action of deleting an application within a Retention Policy is vastly different to the action of deleting an application from the Application record. For the sake of consistency, best-practice recommendation is to use Retention Policies for all GDPR-related record deletions. 

Deleting records through a Retention Policy removes any associated information stored on related tables (such as materials, relationships, and schools). Messages sent to the record's email address are not deleted by the Retention Policy. If it is determined that these messages must be deleted, or if the recipient and body should be stripped from the messages (to allow for longitudinal reporting of Message Delivery Statistics), then you can work with us to make sure that these changes take place as needed before beginning record deletion. 

Creating a Process  

Ultimately, record anonymization and deletion associated with GDPR can and should become a seamless process in Slate. The complexity of this process depends on the decision made by your institution whether to anonymize data or not.

Use custom fields and tags to filter records to return through the anonymization query export, and to flag resulting alternate records. Apply additional filtering to make sure that the records are not returned in general mailing and export queries.

When automating this process, it is important to follow the order of operations to make sure that records are fully anonymized and removed. 

As your instance develops and you collect new data points, it's important to revisit your GDPR Anonymization and Deletion process to ensure that it continues to meet the necessary guidelines and continues to serve your process. 

Was this article helpful?
4 out of 4 found this helpful