Abstract
The GDPR, being a legal document, follows a technology-agnostic approach so as not to bind the provisions of the law with current trends and state-of-the-art technologies in computer science and information technology. Yet, the technical challenges of aligning modern systems and processes with the GDPR provisions, and mainly with the Right to be Forgotten (RtbF), are numerous and in most cases insurmountable. To this end, in this Chapter we discuss the challenges of implementing the RtbF on contemporary information systems, and we assess technical methods, architectures, and frameworks—existing either in corporate or academic environments—in terms of fulfilling the technical practicalities for effectively integrating the new forgetting requirements into current computing infrastructures. We also discuss the GDPR forgetting requirements in respect to their impact on the backup and archiving procedures stipulated by the modern security standards. In this context, we examine the implications of erasure requests on current IT backup systems, and we highlight a number of envisaged organizational, business and technical challenges pertained to the widely known backup standards, data retention policies, backup mediums, search services, and ERP (Enterprise Resource Planning) systems.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
Member States should be authorized to provide, under specific conditions and subject to appropriate safeguards for data subjects, specifications and derogations with regard to the information requirements and rights to rectification, to erasure, to be forgotten, ...”
- 3.
- 4.
- 5.
- 6.
- 7.
The European Data Protection Supervisor (EDPS) is an independent supervisory authority responsible for advising EU institutions on privacy related policies and legislation.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
- 17.
- 18.
- 19.
- 20.
- 21.
- 22.
- 23.
- 24.
- 25.
- 26.
- 27.
- 28.
- 29.
- 30.
- 31.
- 32.
- 33.
- 34.
- 35.
- 36.
- 37.
References
I.S. Rubinstein, Big data: the end of privacy or a new beginning? Int. Data Privacy Law 3(2), 74–87 (2013)
V. Kadenic, Compliance of Data Lake Enterprise Architecture Model with the General Data Protection Regulation (GDPR). Bachelor thesis, Luleå University of Technology (2015)
M. Blanton, P. Gasti, Secure and efficient protocols for iris and fingerprint identification, in Computer Security–ESORICS (Springer, 2011), pp. 190–209
C. Blundo, E. De Cristofaro, P. Gasti, EsPRESSo: efficient privacy-preserving evaluation of sample set similarity, in Data Privacy Management and Autonomous Spontaneous Security (Springer, 2013) pp. 89–103
J. Bringer, M. Favre, H. Chabanne, A. Patey, Faster secure computation for biometric identification using filtering, in 2012 5th IAPR International Conference on Biometrics (ICB) (IEEE, 2012), pp. 257–264
J. Bringer, H. Chabanne, A. Patey, Practical identification with encrypted biometric data using oblivious ram, in 2013 International Conference on Biometrics (ICB) (IEEE, 2013), pp. 1–8
C. Patsakis, J. van Rest, M. Choraś, M. Bouroche, Privacy-preserving biometric authentication and matching via lattice-based encryption, in International Workshop on Data Privacy Management (Springer, 2015) pp 169–182
S.F. Shahandashti, R. Safavi-Naini, P. Ogunbona, Private fingerprint matching, in Information Security and Privacy (Springer, 2012), pp. 426–433
A.T.B. Jin, D.N.C. Ling, A. Goh, Biohashing: two factor authentication featuring fingerprint data and tokenised random number. Pattern Recogn. 37(11), 2245–2255 (2004)
N. Ratha, J. Connell, R.M. Bolle, S. Chikkerur, Cancelable biometrics: a case study in fingerprints, in 18th International Conference on Pattern Recognition (ICPR’06) (IEEE, 2006) vol 4, pp 370–373
A.B. Teoh, Y.W. Kuan, S. Lee, Cancellable biometrics and annotations on biohash. Pattern Recogn. 41(6), 2034–2044 (2008)
F. Schaub, R. Balebako, A.L. Durity, L.F. Cranor, A design space for effective privacy notices, in Eleventh Symposium On Usable Privacy and Security (SOUPS 2015), (USENIX Association, 2015), pp. 1–17
E. Kovacs, Downtime and Data Loss Cost Enterprises $1.7 Trillion Per Year: EMC (2014). https://www.securityweek.com/downtime-and-data-loss-cost-enterprises-17-trillion-year-emc
Health Information Privacy (2015). https://www.hhs.gov/hipaa
PCI Security Standards Council, Download Data Security and Credit Card Security Standards (2021). https://www.pcisecuritystandards.org/security_standards/
ISO—International Organization for Standardization, Iso 29100 iso/iec 29100:2011-Information Technology—Security Techniques—Privacy Framework (2011). https://www.iso.org/standard/45123.html
American National Standards Institute—ANSI (2021) https://www.ansi.org/
Canadian Standards Association, Model Code for the Protection of Personal Information (2013). https://www.scc.ca/en/standards/work-programs/csa/model-code-for-protection-personal-information
Standards Australia, Personal Privacy Practices for the Electronic Tolling Industry; AS 4721-2000 (2000). https://www.standards.org.au/standards-catalogue/sa-snz/other/it-023/as--4721-2000
ISO 38500 (ISO38500) IT Governance Standard (2021). http://www.38500.org/
COBIT 5: A Business Framework for the Governance and Management of Enterprise IT (2021). http://www.isaca.org/COBIT/Pages/default.aspx
ISO—International Organization for Standardization, An introduction to iso 27001, iso 27002....iso 27008 (2021). http://www.27000.org/
ISO—International Organization for Standardization, ISO 27001 ISO/IEC 27001:2013-Information Technology—Security Techniques—Information Security Management Systems—Requirements (2013a). https://www.iso.org/standard/54534.html
ISO—International Organization for Standardization, ISO 27002 ISO/IEC 27002:2013 Information Technology—Security Techniques—Code of Practice for Information Security Controls (2013b). https://www.iso.org/standard/54533.html
ISO—International Organization for Standardization, ISO/IEC 27017:2015—Information Technology—Security Techniques—Code of Practice for Information Security Controls Based on ISO/IEC 27002 for Cloud Services (2015a). http://www.iso.org/iso/catalogue_detail?csnumber=43757
IAPP-EY, IAPP-EY Annual Privacy Governance Report 2017 (2018). https://iapp.org/media/pdf/resource_center/IAPP-EY-Governance-Report-2017.pdf
Joint Task, Transformation initiative, security and privacy controls for federal information systems and organizations. NIST Spec. Publ. 800(53), 8–13 (2013)
Cloud Security Alliance, Cloud Controls Matrix (2021). https://cloudsecurityalliance.org/group/cloud-controls-matrix/
ISO—International Organization for Standardization, ISO/IEC 27040:2015—Information Technology—Security Techniques—Storage Security (2015b). http://www.iso.org/iso/catalogue_detail?csnumber=44404
ISO—International Organization for Standardization, Iso/iec 27018:2014—Information Technology—Security Techniques—Code of Practice for Protection of Personally Identifiable Information (pii) in Public Clouds Acting as pii Processors (2014). http://www.iso.org/iso/catalogue_detail.htm?csnumber=61498
Cloud Standards Customer Council (CSCC), Practical Guide to Cloud Service Agreements Version 2.0 (2015). http://www.cloud-council.org/deliverables/CSCC-Practical-Guide-to-Cloud-Service-Agreements.pdf
C. Bartolini, G. Gheorghe, A. Giurgiu, M. Sabetzadeh, N. Sannier, Assessing IT security standards against the upcoming GDPR for cloud systems, in Proceedings of the Grande Region Security and Reliability Day (GRSRD) (2015), pp. 40–42
D. Lyons, E. Weiss, P. Cisler, P. McInerney, J. Hornkvist, Searching and restoring of backups. US Patent App. 11/760,588 (2008)
A.A. Nene, S.P. Velupula, M. Kumar, A.V. Dhumale, A.G. Das, Backup search agents for use with desktop search tools. US Patent 7,890,527 (2011)
Y.P. Tsaur, R.R. Stringham, S. Sethumadhavan, Method and apparatus for performing file-level restoration from a block-based backup file stored on a sequential storage device. US Patent 8,386,733 (2013)
SAP Information Lifecycle Management (2018c). https://www.sap.com/products/information-lifecycle-management.html
SAP Data Services (2018b). https://www.sap.com/products/data-services.html
SAP Information Steward (2018d). https://www.sap.com/products/data-profiling-steward.html
SAP Process Control (2018e). https://www.sap.com/products/internal-control.html
SAP Access Control (2018a). https://www.sap.com/products/access-control.html
K. O’Hara, N. Shadbolt, W. Hall, A Pragmatic Approach to the Right to be Forgotten (2016), URL https://eprints.soton.ac.uk/389777/
D. Barua, J. Kay, B. Kummerfeld, C. Paris, Theoretical foundations for user-controlled forgetting in scrutable long term user models, in Proceedings of the 23rd Australian Computer-Human Interaction Conference (ACM, 2011), pp. 40–49
D. Lindsay, The “Right to be Forgotten” is Not Censorship (2012). http://www.monash.edu/news/opinions/the-right-to-be-forgotten-is-not-censorship
A. Novotny, S. Spiekermann, Oblivion on the web: an inquiry of user needs and technologies, in Twenty Second European Conference on Information Systems (Tel Aviv, 2014)
J.A. Burkell, Remembering me: big data, individual identity, and the psychological necessity of forgetting. Ethics Inf. Technol. 18(1), 17–23 (2016)
L.J. Bannon, Forgetting as a feature, not a bug: the duality of memory and implications for ubiquitous computing. CoDesign 2(01), 3–15 (2006)
D.J. Solove, The Future of Reputation: Gossip, Rumor, and Privacy on the Internet (Yale University Press, 2007)
V. Mayer-Shönberger, Delete: The Virtue of Forgetting in the Digital Age (Princeton University Press, 2011)
P. Ashley, S. Hada, G. Karjoth, C. Powers, M. Schunter, Enterprise privacy authorization language (epal) (2003)
J.I. Hong, J.A. Landay, An architecture for privacy-sensitive ubiquitous computing, in: Proceedings of the 2nd International Conference on Mobile Systems, Applications, and Services (ACM, 2004) pp. 177–189
M. Langheinrich, A privacy awareness system for ubiquitous computing environments, in International Conference on Ubiquitous Computing (Springer, 2002), pp. 237–245
R. Perlman, File system design with assured delete, in Third IEEE International Security in Storage Workshop, SISW’05 (IEEE, 2005), pp. 6–pp
Y. Tang, P.P. Lee, J.C. Lui, R. Perlman, Secure overlay cloud storage with access control and assured deletion. IEEE Trans. Dependable Secure Comput. 9(6), 903–916 (2012)
S. Bajaj, R. Sion, Ficklebase: Looking into the future to erase the past, in 2013 IEEE 29th International Conference on Data Engineering (ICDE) (IEEE, 2013), pp. 86–97
J. Ausloos, The right to be forgotten-worth remembering? Comput. Law Secur. Rev. 28(2), 143–152 (2012)
A. Mantelero, The EU proposal for a general data protection regulation and the roots of the & #x201C;right to be forgotten. Comput. Law Secur. Rev. 29(3), 229–235 (2013)
P. Korenhof, J. Ausloos, I. Szekely, M. Ambrose, G. Sartor, R. Leenes, Timing the right to be forgotten: a study into “time” as a factor in deciding about retention or erasure of data, in Reforming European Data Protection Law (Springer, 2015), pp. 171–201
H.J. Lee, J.H. Yun, H.S. Yoon, K.H. Lee, The right to be forgotten: standard on deleting the exposed personal information on the internet, in Computer Science and Its Applications (Springer, 2015), pp. 883–889
N. Anciaux, L. Bouganim, H. Van Heerde, P. Pucheral, P.M. Apers (2008) Data degradation: making private data less sensitive over time, in Proceedings of the 17th ACM Conference on Information and Knowledge Management (ACM, 2008), pp. 1401–1402
S. Holm, Withdrawing from research: a rethink in the context of research biobanks. Health Care Anal. 19(3), 269 (2011)
R. Geambasu, T. Kohno, A.A. Levy, H.M. Levy, Vanish: increasing data privacy with self-destructing data. in USENIX Security Symposium (2009b), pp. 299–316
S. Wolchok, O.S. Hofmann, N. Heninger, E.W. Felten, J.A. Halderman, C.J. Rossbach, B. Waters, E. Witchel, Defeating vanish with low-cost sybil attacks against large DHTs, in NDSS (2010)
R. Geambasu, J. Falkner, P. Gardner, T. Kohno, A. Krishnamurthy, H.M. Levy, Experiences building security applications on DHTs (2009a)
G. Wang, F. Yue, Q. Liu, A secure self-destructing scheme for electronic data. J. Comput. Syst. Sci. 79(2), 279–290 (2013)
J. Xiong, X. Liu, Z. Yao, J. Ma, Q. Li, K. Geng, P.S. Chen, A secure data self-destructing scheme in cloud computing. IEEE Trans. Cloud Comput. 2(4), 448–458 (2014)
L. Zeng, Z. Shi, S. Xu, D. Feng, Safevanish: An improved data self-destruction for protecting data privacy. in 2010 IEEE Second International Conference on Cloud Computing Technology and Science (CloudCom) (IEEE, 2010), pp. 521–528
L. Zeng, S. Chen, Q. Wei, D. Feng, Sedas: A Self-Destructing Data System Based on Active Storage Framework, in APMRC (IEEE, Digest, 2012), pp. 1–8
J. Bacon, D. Eyers, T.F.M. Pasquier, J. Singh, I. Papagiannis, P. Pietzuch, Information flow control for secure cloud computing. IEEE Trans. Netw. Serv. Manage. 11(1), 76–89 (2014)
J. Singh, J. Powles, T. Pasquier, J. Bacon, Data flow management and compliance in cloud computing. IEEE Cloud Comput. 2(4), 24–32 (2015)
W. Enck, P. Gilbert, S. Han, V. Tendulkar, B.G. Chun, L.P. Cox, J. Jung, P. McDaniel, A.N. Sheth, TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. (TOCS) 32(2), 5 (2014)
G. Zyskind, O. Nathan et al., Decentralizing privacy: Using blockchain to protect personal data, in Security and Privacy Workshops (SPW). (IEEE, 2015), pp. 180–184
S. Maguire, J. Friedberg, M.H.C. Nguyen, P. Haynes, A metadata-based architecture for user-centered data accountability. Electron. Mark. 25(2), 155–160 (2015)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this chapter
Cite this chapter
Politou, E., Alepis, E., Virvou, M., Patsakis, C. (2022). The “Right to Be Forgotten” in the GDPR: Implementation Challenges and Potential Solutions. In: Privacy and Data Protection Challenges in the Distributed Era. Learning and Analytics in Intelligent Systems, vol 26. Springer, Cham. https://doi.org/10.1007/978-3-030-85443-0_4
Download citation
DOI: https://doi.org/10.1007/978-3-030-85443-0_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-85442-3
Online ISBN: 978-3-030-85443-0
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)