According to DLA Piper, EU data protection authorities have handed out a total of $1.25 billion in fines over 2021.
GDPR & CCPA Process: What To Do When Users Want Their Data Deleted
How much data do you currently store on your online customers, where is it all, and what will you do if they want it deleted? How complicated will it be to remove just one customer's data surgically? You should have a clear plan that complies with privacy regulations such as the CCPA and GDPR (with many more expected!) to remove that data efficiently. If you don't already have a system to manage these deletion requests, you need to keep reading to learn more about these laws, the legal rights of consumers, and how to improve your response.
Right now, you probably have countless pieces of data on all your online users spread out over your sales records, marketing applications, communications software, billing systems, and so much more. Remember, we are not lawyers; this is not paid legal advice. As a web admin, you have a legal (and moral) obligation to have a clear process documented to quickly remove an individual's data upon request. That said, let's get into some best practices!
The CCPA and GDPR Likely Applies to You
The laws regarding data collection have strengthened in recent years to ensure that users are better protected from data misuse or any data breaches. One of the most important laws to be aware of is the General Data Protection Regulation (GDPR.) This became official in May 2018 to regulate EU businesses and those selling to consumers in this region. While you may not be an EU business, you may have consumers from there so you still need to comply with the GDPR process. If you don't, you could end up with a hefty fine.
On top of this, you also have to consider a more recent development in California. In January 2020, the state passed the California Consumer Privacy Act (CCPA) which allows for better protection for California residents. Again, while this sounds region-specific, it relates to the use of data on California natives by any business across the nation and the globe.
On March 2, 2021, Virginia became the second state to enact a comprehensive data privacy law. They won't be the last.
The Customer Has The Right To Ask For Data To Be Removed.
Effectively dealing with data collection means deleting data at the request of the user as well as handling it securely. Anyone that uses a website and agrees to any form of data collection has the right to know you'll manage data about them properly and the right to have you delete it all on request. When they do request their data to be removed, you need to be ready to act.
Users also have the right to be informed about details of the process before consenting and the right to access anything you have on file. Users also have the right to be informed about data breaches. If you do happen to have a data breach, you must inform users within 72 hours of the discovery.
One of the most important rights is the right to erasure, which is part of Article 17 of the GDPR. This allows most users to request to have all data erased from the system "without undue delay". There are exceptions to the rule, such as where there are legal implications or matters of public interest.
Deleting User Data is Easier Said Than Done
If you receive a request for data deletion in line with the GDPR process, you need to act fast and diligently to remove every last trace. The problem here is that there is so much data across a vast network of systems and applications. Also, you don't want to forget about backup files and logs. This is why it is so important to have a plan in place for deleting data in compliance with the GDPR process and CCPA process.
Step 1: Create a Clear Plan for your Team
As every organization is different when it comes to systems, we recommend your business develops a set of guidelines for its particular circumstances. These data deletion requests will touch every aspect of your business, from marketing through sales and into customer success and accounts receivable. You'll need a clear list of systems that collect data and document the steps involved in removing an individual's data at every point. How is it done, and which role is responsible for removing it. Given access control rules, it's quite likely that every deletion request will involve multiple people collaborating, so you'll need a task management solution to make sure every step is completed in a timely fashion.
Step 2: Build a Specific Team
Public companies and any private companies processing sensitive personal data either on a large scale or collecting enough information that would impact the privacy rights of an individual are legally required to have a Data Protection Officer (DPO) as part of the GDPR process to oversee compliance and manage security. This doesn't have to be a full time job, and you can outsource it, but it is an official role you will need to have a named person holding.
Given there are different systems involved with deleting user data, it's wise to put a small official team together with specific named individuals who are responsible for the different deletion steps. This team can then be held accountable for quickly removing user data when requested.
Step 3: Train Everyone Involved to Improve the Process
New systems are frequently added to parts of the business, and your SaaS vendors may be changing interfaces and service offerings too. It's important for everyone on your cross departmental data security team to feel empowered to update the operating procedures to be accurate over time. There's a simple way to help people come out of training feeling really empowered to do it on their own with the See One, Do One, Teach One training method.
It's also important to test this process routinely. Create a test user and request to delete their content at least once a year, if not more frequently.
Step 4: Make it Easy to Request Deletion
Step 5: Develop a Clear Communication Plan
An automated system can help a lot here. You can set up a basic response that responds to the user's email address and lets them know that a) you got their request and b) you are working to remove all data from the system. Once the process is complete and has been double-checked, you can then write to them again to inform them of your success. At this point, there should be no record of their personal information, banking details, or other data anywhere in your sales, billing, marketing, or any other system.
Hopefully, you have previously ensured that you are not collecting PII in your logs so you don't have to worry about surgically excising the user data. Inform the user about your backup schedule and when their data will "roll off" the backups.
From there, all that is left is to delete the data about the saved email address after confirming the process is complete. It is the final but necessary step in a long process of CCPA and GDPR compliance. Don't forget to delete the correspondence about deleting user data, or the job isn't quite fully done!
The GDPR process may sound like a lot of work, but it is worth the effort to keep users happy and avoid any potential legal issues.