Skip to main content
SpringerLink
Log in

The “Right to Be Forgotten” in the GDPR: Implementation Challenges and Potential Solutions

  • Chapter
  • First Online:
Privacy and Data Protection Challenges in the Distributed Era

Part of the book series: Learning and Analytics in Intelligent Systems ((LAIS,volume 26))

Abstract

The GDPR, being a legal document, follows a technology-agnostic approach so as not to bind the provisions of the law with current trends and state-of-the-art technologies in computer science and information technology. Yet, the technical challenges of aligning modern systems and processes with the GDPR provisions, and mainly with the Right to be Forgotten (RtbF), are numerous and in most cases insurmountable. To this end, in this Chapter we discuss the challenges of implementing the RtbF on contemporary information systems, and we assess technical methods, architectures, and frameworks—existing either in corporate or academic environments—in terms of fulfilling the technical practicalities for effectively integrating the new forgetting requirements into current computing infrastructures. We also discuss the GDPR forgetting requirements in respect to their impact on the backup and archiving procedures stipulated by the modern security standards. In this context, we examine the implications of erasure requests on current IT backup systems, and we highlight a number of envisaged organizational, business and technical challenges pertained to the widely known backup standards, data retention policies, backup mediums, search services, and ERP (Enterprise Resource Planning) systems.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 119.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 159.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 159.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://ec.europa.eu/info/law/payment-services-psd-2-directive-eu-2015-2366_en.

  2. 2.

    Member States should be authorized to provide, under specific conditions and subject to appropriate safeguards for data subjects, specifications and derogations with regard to the information requirements and rights to rectification, to erasure, to be forgotten, ...”

  3. 3.

    https://dictionary.cambridge.org/dictionary/english/backup.

  4. 4.

    http://www.snia.org/sites/default/files/SNIADictionaryV2015-1_0.pdf.

  5. 5.

    https://www.linkedin.com/pulse/gdpr-right-forgotten-backups-jan-garefelt/.

  6. 6.

    http://www.itgovernance.eu/blog/en/the-gdpr-how-the-right-to-be-forgotten-affects-backups.

  7. 7.

    The European Data Protection Supervisor (EDPS) is an independent supervisory authority responsible for advising EU institutions on privacy related policies and legislation.

  8. 8.

    https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/.

  9. 9.

    https://ico.org.uk/media/for-organisations/documents/1475/deleting_personal_data.pdf.

  10. 10.

    http://medium.com/@brentrobinson5/crypto-shredding-how-it-can-solve-modern-data-retention-challenges-da874b01745b.

  11. 11.

    https://info.townsendsecurity.com/gdpr-right-erasure-encryption-key-management.

  12. 12.

    https://techblog.bozho.net/gdpr-practical-guide-developers/.

  13. 13.

    https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf.

  14. 14.

    http://www.iso27001security.com/ISO27k_GDPR_mapping_release_1.pdf.

  15. 15.

    https://advisera.com/wp-content/uploads/sites/15/2018/03/List_of_documents_EU_GDPR_ISO_27001_Integrated_Documentation_Toolkit_EN.pdf.

  16. 16.

    https://support.code42.com/Administrator/5/Monitoring_and_managing/File_search/01_Enable_file_search_in_your_Code42_environment.

  17. 17.

    https://docs.druva.com/001_inSync_Cloud/Cloud/030_Governance_DLP/030_Governance_and_DLP/010_Governance/Federated_Search_for_backed_up_data.

  18. 18.

    https://helpcenter.veeam.com/archive/backup/95/em/searching_vm_backups.html.

  19. 19.

    https://cpsdocs.dellemc.com/bundle/P_DP_PG/page/GUID-67803015-B5B6-4D19-90C0-91311D876CA7.html.

  20. 20.

    https://blog.dellemc.com/en-us/make-it-rain-with-your-emc-hybrid-cloud/.

  21. 21.

    http://breakthroughanalysis.com/2008/08/01/unstructured-data-and-the-80-percent-rule/.

  22. 22.

    https://corporate.delltechnologies.com/en-us/newsroom/announcements/2012/12/20121211-01.htm.

  23. 23.

    https://www.silwoodtechnology.com/blog/tested-5-erp-and-crm-packages-evaluated-for-gdpr-personal-data/.

  24. 24.

    https://www.paconsulting.com/services/cyber-security-and-digital-trust/cyber-security/ediscovery/.

  25. 25.

    https://www.silwoodtechnology.com/safyr/safyr-7-supporting-gdpr/.

  26. 26.

    http://filefacets.com/.

  27. 27.

    https://www.netgovern.com/ig-solutions/electronic-discovery.

  28. 28.

    https://www.trustarc.com/products/individual-rights-manager/.

  29. 29.

    https://www.trustarc.com/products/individual-rights-manager/.

  30. 30.

    https://www.epiuselabs.com/data-secure.

  31. 31.

    https://myaccount.google.com/dashboard.

  32. 32.

    https://fossbytes.com/google-tracking-dashboard-myactivity/.

  33. 33.

    https://teamdata.com/.

  34. 34.

    https://digi.me/.

  35. 35.

    http://suicidemachine.org/.

  36. 36.

    http://blogs.harvard.edu/futureoftheinternet/2010/09/07/reputation-bankruptcy/.

  37. 37.

    http://getxpire.com/xpireApp.

References

  1. I.S. Rubinstein, Big data: the end of privacy or a new beginning? Int. Data Privacy Law 3(2), 74–87 (2013)

    Article  Google Scholar 

  2. V. Kadenic, Compliance of Data Lake Enterprise Architecture Model with the General Data Protection Regulation (GDPR). Bachelor thesis, Luleå University of Technology (2015)

    Google Scholar 

  3. M. Blanton, P. Gasti, Secure and efficient protocols for iris and fingerprint identification, in Computer Security–ESORICS (Springer, 2011), pp. 190–209

    Google Scholar 

  4. C. Blundo, E. De Cristofaro, P. Gasti, EsPRESSo: efficient privacy-preserving evaluation of sample set similarity, in Data Privacy Management and Autonomous Spontaneous Security (Springer, 2013) pp. 89–103

    Google Scholar 

  5. J. Bringer, M. Favre, H. Chabanne, A. Patey, Faster secure computation for biometric identification using filtering, in 2012 5th IAPR International Conference on Biometrics (ICB) (IEEE, 2012), pp. 257–264

    Google Scholar 

  6. J. Bringer, H. Chabanne, A. Patey, Practical identification with encrypted biometric data using oblivious ram, in 2013 International Conference on Biometrics (ICB) (IEEE, 2013), pp. 1–8

    Google Scholar 

  7. C. Patsakis, J. van Rest, M. Choraś, M. Bouroche, Privacy-preserving biometric authentication and matching via lattice-based encryption, in International Workshop on Data Privacy Management (Springer, 2015) pp 169–182

    Google Scholar 

  8. S.F. Shahandashti, R. Safavi-Naini, P. Ogunbona, Private fingerprint matching, in Information Security and Privacy (Springer, 2012), pp. 426–433

    Google Scholar 

  9. A.T.B. Jin, D.N.C. Ling, A. Goh, Biohashing: two factor authentication featuring fingerprint data and tokenised random number. Pattern Recogn. 37(11), 2245–2255 (2004)

    Article  Google Scholar 

  10. N. Ratha, J. Connell, R.M. Bolle, S. Chikkerur, Cancelable biometrics: a case study in fingerprints, in 18th International Conference on Pattern Recognition (ICPR’06) (IEEE, 2006) vol 4, pp 370–373

    Google Scholar 

  11. A.B. Teoh, Y.W. Kuan, S. Lee, Cancellable biometrics and annotations on biohash. Pattern Recogn. 41(6), 2034–2044 (2008)

    Article  Google Scholar 

  12. F. Schaub, R. Balebako, A.L. Durity, L.F. Cranor, A design space for effective privacy notices, in Eleventh Symposium On Usable Privacy and Security (SOUPS 2015), (USENIX Association, 2015), pp. 1–17

    Google Scholar 

  13. E. Kovacs, Downtime and Data Loss Cost Enterprises $1.7 Trillion Per Year: EMC (2014). https://www.securityweek.com/downtime-and-data-loss-cost-enterprises-17-trillion-year-emc

  14. Health Information Privacy (2015). https://www.hhs.gov/hipaa

  15. PCI Security Standards Council, Download Data Security and Credit Card Security Standards (2021). https://www.pcisecuritystandards.org/security_standards/

  16. ISO—International Organization for Standardization, Iso 29100 iso/iec 29100:2011-Information Technology—Security Techniques—Privacy Framework (2011). https://www.iso.org/standard/45123.html

  17. American National Standards Institute—ANSI (2021) https://www.ansi.org/

  18. Canadian Standards Association, Model Code for the Protection of Personal Information (2013). https://www.scc.ca/en/standards/work-programs/csa/model-code-for-protection-personal-information

  19. Standards Australia, Personal Privacy Practices for the Electronic Tolling Industry; AS 4721-2000 (2000). https://www.standards.org.au/standards-catalogue/sa-snz/other/it-023/as--4721-2000

  20. ISO 38500 (ISO38500) IT Governance Standard (2021). http://www.38500.org/

  21. COBIT 5: A Business Framework for the Governance and Management of Enterprise IT (2021). http://www.isaca.org/COBIT/Pages/default.aspx

  22. ISO—International Organization for Standardization, An introduction to iso 27001, iso 27002....iso 27008 (2021). http://www.27000.org/

  23. ISO—International Organization for Standardization, ISO 27001 ISO/IEC 27001:2013-Information Technology—Security Techniques—Information Security Management Systems—Requirements (2013a). https://www.iso.org/standard/54534.html

  24. ISO—International Organization for Standardization, ISO 27002 ISO/IEC 27002:2013 Information Technology—Security Techniques—Code of Practice for Information Security Controls (2013b). https://www.iso.org/standard/54533.html

  25. ISO—International Organization for Standardization, ISO/IEC 27017:2015—Information Technology—Security Techniques—Code of Practice for Information Security Controls Based on ISO/IEC 27002 for Cloud Services (2015a). http://www.iso.org/iso/catalogue_detail?csnumber=43757

  26. IAPP-EY, IAPP-EY Annual Privacy Governance Report 2017 (2018). https://iapp.org/media/pdf/resource_center/IAPP-EY-Governance-Report-2017.pdf

  27. Joint Task, Transformation initiative, security and privacy controls for federal information systems and organizations. NIST Spec. Publ. 800(53), 8–13 (2013)

    Google Scholar 

  28. Cloud Security Alliance, Cloud Controls Matrix (2021). https://cloudsecurityalliance.org/group/cloud-controls-matrix/

  29. ISO—International Organization for Standardization, ISO/IEC 27040:2015—Information Technology—Security Techniques—Storage Security (2015b). http://www.iso.org/iso/catalogue_detail?csnumber=44404

  30. ISO—International Organization for Standardization, Iso/iec 27018:2014—Information Technology—Security Techniques—Code of Practice for Protection of Personally Identifiable Information (pii) in Public Clouds Acting as pii Processors (2014). http://www.iso.org/iso/catalogue_detail.htm?csnumber=61498

  31. Cloud Standards Customer Council (CSCC), Practical Guide to Cloud Service Agreements Version 2.0 (2015). http://www.cloud-council.org/deliverables/CSCC-Practical-Guide-to-Cloud-Service-Agreements.pdf

  32. C. Bartolini, G. Gheorghe, A. Giurgiu, M. Sabetzadeh, N. Sannier, Assessing IT security standards against the upcoming GDPR for cloud systems, in Proceedings of the Grande Region Security and Reliability Day (GRSRD) (2015), pp. 40–42

    Google Scholar 

  33. D. Lyons, E. Weiss, P. Cisler, P. McInerney, J. Hornkvist, Searching and restoring of backups. US Patent App. 11/760,588 (2008)

    Google Scholar 

  34. A.A. Nene, S.P. Velupula, M. Kumar, A.V. Dhumale, A.G. Das, Backup search agents for use with desktop search tools. US Patent 7,890,527 (2011)

    Google Scholar 

  35. Y.P. Tsaur, R.R. Stringham, S. Sethumadhavan, Method and apparatus for performing file-level restoration from a block-based backup file stored on a sequential storage device. US Patent 8,386,733 (2013)

    Google Scholar 

  36. SAP Information Lifecycle Management (2018c). https://www.sap.com/products/information-lifecycle-management.html

  37. SAP Data Services (2018b). https://www.sap.com/products/data-services.html

  38. SAP Information Steward (2018d). https://www.sap.com/products/data-profiling-steward.html

  39. SAP Process Control (2018e). https://www.sap.com/products/internal-control.html

  40. SAP Access Control (2018a). https://www.sap.com/products/access-control.html

  41. K. O’Hara, N. Shadbolt, W. Hall, A Pragmatic Approach to the Right to be Forgotten (2016), URL https://eprints.soton.ac.uk/389777/

  42. D. Barua, J. Kay, B. Kummerfeld, C. Paris, Theoretical foundations for user-controlled forgetting in scrutable long term user models, in Proceedings of the 23rd Australian Computer-Human Interaction Conference (ACM, 2011), pp. 40–49

    Google Scholar 

  43. D. Lindsay, The “Right to be Forgotten” is Not Censorship (2012). http://www.monash.edu/news/opinions/the-right-to-be-forgotten-is-not-censorship

  44. A. Novotny, S. Spiekermann, Oblivion on the web: an inquiry of user needs and technologies, in Twenty Second European Conference on Information Systems (Tel Aviv, 2014)

    Google Scholar 

  45. J.A. Burkell, Remembering me: big data, individual identity, and the psychological necessity of forgetting. Ethics Inf. Technol. 18(1), 17–23 (2016)

    Article  Google Scholar 

  46. L.J. Bannon, Forgetting as a feature, not a bug: the duality of memory and implications for ubiquitous computing. CoDesign 2(01), 3–15 (2006)

    Article  Google Scholar 

  47. D.J. Solove, The Future of Reputation: Gossip, Rumor, and Privacy on the Internet (Yale University Press, 2007)

    Google Scholar 

  48. V. Mayer-Shönberger, Delete: The Virtue of Forgetting in the Digital Age (Princeton University Press, 2011)

    Google Scholar 

  49. P. Ashley, S. Hada, G. Karjoth, C. Powers, M. Schunter, Enterprise privacy authorization language (epal) (2003)

    Google Scholar 

  50. J.I. Hong, J.A. Landay, An architecture for privacy-sensitive ubiquitous computing, in: Proceedings of the 2nd International Conference on Mobile Systems, Applications, and Services (ACM, 2004) pp. 177–189

    Google Scholar 

  51. M. Langheinrich, A privacy awareness system for ubiquitous computing environments, in International Conference on Ubiquitous Computing (Springer, 2002), pp. 237–245

    Google Scholar 

  52. R. Perlman, File system design with assured delete, in Third IEEE International Security in Storage Workshop, SISW’05 (IEEE, 2005), pp. 6–pp

    Google Scholar 

  53. Y. Tang, P.P. Lee, J.C. Lui, R. Perlman, Secure overlay cloud storage with access control and assured deletion. IEEE Trans. Dependable Secure Comput. 9(6), 903–916 (2012)

    Article  Google Scholar 

  54. S. Bajaj, R. Sion, Ficklebase: Looking into the future to erase the past, in 2013 IEEE 29th International Conference on Data Engineering (ICDE) (IEEE, 2013), pp. 86–97

    Google Scholar 

  55. J. Ausloos, The right to be forgotten-worth remembering? Comput. Law Secur. Rev. 28(2), 143–152 (2012)

    Article  Google Scholar 

  56. A. Mantelero, The EU proposal for a general data protection regulation and the roots of the & #x201C;right to be forgotten. Comput. Law Secur. Rev. 29(3), 229–235 (2013)

    Article  Google Scholar 

  57. P. Korenhof, J. Ausloos, I. Szekely, M. Ambrose, G. Sartor, R. Leenes, Timing the right to be forgotten: a study into “time” as a factor in deciding about retention or erasure of data, in Reforming European Data Protection Law (Springer, 2015), pp. 171–201

    Google Scholar 

  58. H.J. Lee, J.H. Yun, H.S. Yoon, K.H. Lee, The right to be forgotten: standard on deleting the exposed personal information on the internet, in Computer Science and Its Applications (Springer, 2015), pp. 883–889

    Google Scholar 

  59. N. Anciaux, L. Bouganim, H. Van Heerde, P. Pucheral, P.M. Apers (2008) Data degradation: making private data less sensitive over time, in Proceedings of the 17th ACM Conference on Information and Knowledge Management (ACM, 2008), pp. 1401–1402

    Google Scholar 

  60. S. Holm, Withdrawing from research: a rethink in the context of research biobanks. Health Care Anal. 19(3), 269 (2011)

    Article  Google Scholar 

  61. R. Geambasu, T. Kohno, A.A. Levy, H.M. Levy, Vanish: increasing data privacy with self-destructing data. in USENIX Security Symposium (2009b), pp. 299–316

    Google Scholar 

  62. S. Wolchok, O.S. Hofmann, N. Heninger, E.W. Felten, J.A. Halderman, C.J. Rossbach, B. Waters, E. Witchel, Defeating vanish with low-cost sybil attacks against large DHTs, in NDSS (2010)

    Google Scholar 

  63. R. Geambasu, J. Falkner, P. Gardner, T. Kohno, A. Krishnamurthy, H.M. Levy, Experiences building security applications on DHTs (2009a)

    Google Scholar 

  64. G. Wang, F. Yue, Q. Liu, A secure self-destructing scheme for electronic data. J. Comput. Syst. Sci. 79(2), 279–290 (2013)

    Article  MathSciNet  Google Scholar 

  65. J. Xiong, X. Liu, Z. Yao, J. Ma, Q. Li, K. Geng, P.S. Chen, A secure data self-destructing scheme in cloud computing. IEEE Trans. Cloud Comput. 2(4), 448–458 (2014)

    Article  Google Scholar 

  66. L. Zeng, Z. Shi, S. Xu, D. Feng, Safevanish: An improved data self-destruction for protecting data privacy. in 2010 IEEE Second International Conference on Cloud Computing Technology and Science (CloudCom) (IEEE, 2010), pp. 521–528

    Google Scholar 

  67. L. Zeng, S. Chen, Q. Wei, D. Feng, Sedas: A Self-Destructing Data System Based on Active Storage Framework, in APMRC (IEEE, Digest, 2012), pp. 1–8

    Google Scholar 

  68. J. Bacon, D. Eyers, T.F.M. Pasquier, J. Singh, I. Papagiannis, P. Pietzuch, Information flow control for secure cloud computing. IEEE Trans. Netw. Serv. Manage. 11(1), 76–89 (2014)

    Article  Google Scholar 

  69. J. Singh, J. Powles, T. Pasquier, J. Bacon, Data flow management and compliance in cloud computing. IEEE Cloud Comput. 2(4), 24–32 (2015)

    Article  Google Scholar 

  70. W. Enck, P. Gilbert, S. Han, V. Tendulkar, B.G. Chun, L.P. Cox, J. Jung, P. McDaniel, A.N. Sheth, TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. (TOCS) 32(2), 5 (2014)

    Article  Google Scholar 

  71. G. Zyskind, O. Nathan et al., Decentralizing privacy: Using blockchain to protect personal data, in Security and Privacy Workshops (SPW). (IEEE, 2015), pp. 180–184

    Google Scholar 

  72. S. Maguire, J. Friedberg, M.H.C. Nguyen, P. Haynes, A metadata-based architecture for user-centered data accountability. Electron. Mark. 25(2), 155–160 (2015)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Informatics, University of Piraeus, Piraeus, Greece

    Eugenia Politou, Efthimios Alepis, Maria Virvou & Constantinos Patsakis

Authors
  1. Eugenia Politou
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Efthimios Alepis
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Maria Virvou
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Constantinos Patsakis
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Eugenia Politou .

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Politou, E., Alepis, E., Virvou, M., Patsakis, C. (2022). The “Right to Be Forgotten” in the GDPR: Implementation Challenges and Potential Solutions. In: Privacy and Data Protection Challenges in the Distributed Era. Learning and Analytics in Intelligent Systems, vol 26. Springer, Cham. https://doi.org/10.1007/978-3-030-85443-0_4

Download citation

Publish with us

Policies and ethics

Search

Navigation