Oops! The backup restored GDPR right to be forgotten details

Remember GDPR? Of course you do. The GDPR directive gives individuals the right to be forgotten and requires EU and UK companies in certain instances to erase all personal data per a customer’s request.

But this is problematic when details are contained inside a non-searchable database backup file. At first sight the individual has been forgotten, but if a backup file is restored the business again has that person’s details in plain view, and so breaks the GDPR rules.

OCL Technologies, a California startup, has devised a continuous data privacy SaaS-based tool, Forget Me Yes (FMY), which it claims ensures the right to forget really does mean “forget me”.

CEO and president Michael Johnson said: “FMY’s Zero Knowledge Proof (ZKP) platform technology ensures auditable privacy and security throughout the entire compliance process”.

OCL gave us an advanced briefing on the ‘ForgetMeYes’ utility, which is soon to launch formally. The technology assures businesses that they are compliant with GDPR right-to-be-forgotten requests, the company says. Initially it is being tested against Salesforce and should be extended to other data sources.

ForgetMeYes verifies the right to be forgotten and right of erase data subject compliance requirements of the CCPA, LGPD, SB220 and GDPR regulations.

For example, individuals have the right to have search results removed from Google results if they are inaccurate, irrelevant or “considered superfluous”.

When a business, like Google, expunges records of a person exercising a right-to-be-forgotten ruling, that business removes all mentions of the person from databases, emails, etc. To verify this is that you have to run a query against the databases, email records, etc. And that query has to contain the name and other details of the person that’s been forgotten. i.e. the business has to remember it, which it cannot do.

OCL Technologies addresses this with an indirect, coded representation of the ‘forgotten’ people that does not directly identify them. The software runs this as a query against the various source databases and files looking for that target term. If it is found – maybe a backup has inadvertently restored the forgotten person’s records, then the person’s details are deleted afresh.