Right to be forgotten
Ron Sengupta
Cybersecurity & Cloud Security Expert | Adversarial Machine Learning & Secure AI Specialist | FSI Compliance- DORA, PCI DSS, ISO 27001, CCM | DevSecOps Expert – Delivering Measurable Risk Reduction
I was researching “right to be forgotten” which you might also hear being called “the right to erasure," I am bit oversimplifying it here but think of it as a delete all button for your personal information stored in the internet. Derived from the General Data Protection Regulation (GDPR) in the European Union. It essentially lets people ask companies to delete their personal data under certain conditions.
So, imagine you signed up for a service or created an account somewhere, but now you’ve changed your mind and you don’t want them to have your details anymore. The GDPR says you can ask them to wipe your data, and they generally have to do it, though there are some exceptions.
You might wonder where to read more about this? The nitty-gritty details are laid out in “Recitals 65 and 66 and in Article 17” of the GDPR. You can dive into the full legal text directly on the EU’s official website.
If you’re looking for a slightly less legalese guide, the UK’s Information Commissioner’s Office (ICO) offers a really accessible guide to understanding these rules, including how the right to be forgotten works. Check out their guide here: Right to get your data deleted.
It’s a pretty interesting stuff, especially considering how much of our data is out there these days.
Now, add another layer to it and think in the context of KYC (Know Your Customer ) and AML (Anti-Money Laundering) regulations. These are the rules that say banks and financial companies have to keep certain customer data for a set amount of time to prevent things like money laundering.
In the EU, these rules are in directives known as The Fourth and Fifth AML Directive and there are relevant legislations for each . And if you’re in the US, you’d be looking at something like the Bank Secrecy Act. In a nutshell, both of these sets of rules say that financial companies gotta keep your data for a certain period even if you want it deleted, to ensure they’re complying with anti-fraud and anti-money laundering laws.
So, it’s bit of like a tug of war between these two rules - one saying “customers can ask to delete data” and the other saying “companies gotta keep data for legal reasons.” Banks and financial companies have to navigate between these two, ensuring they respect customer data but also keep enough of it to stay on the right side of the law! It’s a tricky, but interesting, balance!
Navigating these waters involves a keen understanding of both sets of regulations and for maintaining a compliant yet customer-centric operation!
领英推荐
Imagine you’re running a fintech company. You’ve got two major sets of rules to play by: GDPR says “Respect your customers’ privacy and don’t keep their data longer than needed,” while KYC/AML laws tell you “Know who your customers are and keep their data for a while to block shady dealings.”
So, as a startup or fintech how do you juggle this? First off, when people sign up, make sure to collect only what’s absolutely necessary and keep it safe and tight, by creating a data minimisation policy and? implementing a secure storage. Hang onto it for the required time by the KYC rules, but not a day more than required.
Also, get a clear consent from customers about using their data, say it’s for preventing money laundering and such.
Access control will also play a key role here, particularly about who in your org gets to peek at this data, keeping it on a need-to-know basis.
When your customers ask to transfer their data somewhere else or erase it (under GDPR),? handle this smartly with automated systems.?
Keep detailed audit trails of how the data was/is managed, stored, so you able to provide evidence when needed.
Behind the scenes, it is important to map out all these different compliance requirements, associated controls? and train the teams regularly to ensure everyone’s on the same page.
Keeping your legal teams always in the loop to ensure all of this is by the book is also super important. It’s quite a juggling act, balancing customer data privacy with regulatory compliance, but with tech, legal, and ethical practices, can be addressed efficiently.?
-??My opinions are my own.