The European Court's (EU) recent ruling that Google must erase search results at the request of people is only the tip if the iceberg. It has spawned a host of issues surrounding 'the right to be forgotten' as part of the Data Protection Directive 1995, a plan that intends to give ordinary individuals full control of their personal data in the digital world.
This ruling doesn't impact search engines like Google alone, which has since received 40,000 requests (and counting) from people to remove their data. Long term, it will affect almost every organisation, which now face significant policy and technology-related enforcement challenges. The regulation can be leveraged by any individual who is a citizen of the EU.
Given that data protection falls under the remit of the CISO, our security experts must begin to get to grips with the implications of this ruling. They must, in consultation with their organisation, determine the ways to ascertain the legitimacy of such requests, as well as determine processes to ensure that the regulation is complied with fully. They need to establish a framework that outlines who in the organisation decides that a particular request warrants the information to be deleted, i.e. that the individual's need for privacy is greater that the organisation's right to access it, what investigative process must be followed to arrive at that conclusion, and if the decision is not in the favour of the individual who handles the appeals/complaints.
From a technical standpoint, the biggest challenge CISOs face is eliminating unauthorised duplication of data. To fully implement the ruling, every copy of the information/data in question must be removed across the entire corporate network; PCs, internal and external servers, backup, local disks and disaster recovery mechanisms, not to mention USB sticks, smartphones and tablets that employees use.
Despite best efforts, it is impossible to locate all the copies (full or partial) of a particular piece of data and be sure that the information has indeed been eliminated from the company records. An employee may have retained a hard copy of that information or someone may have an unauthorised screen grab of the information on their personal device. Furthermore, organisations often share corporate information as part of larger shared networks across jurisdictions. While the information will be subject to removal in the EU, it could very easily be available in another part of the company in another country. Similarly, enterprises' cloud servers are often located in the outside the EU.
Sign up for CIO Asia eNewsletters.