GDPR Article 17: Eradicating Personal Identifiable Information & Achieving Compliance in a Hybrid Cloud

Abstract

On 25th May 2018, the GDPR Article 17, the Right to Erasure (‘Right to be Forgotten’) came into force making it vital for organisations to understand Personally Identifiable Information (PII) under their control. Where a valid request has been received from a data subject to erase their PII and where the PII contractual period has expired, it is crucial that all PII can be identified, located and deleted. This must be done without undue delay and the organisation must be able to demonstrate ‘reasonable measures’ were taken. Failure to comply may incur significant fines, not to mention negative impact to reputation. A key change implemented by GDPR was the expansion of the definition of PII; the term no longer refers to a single piece of data, therefore many small organisations don't understand the PII in their possession. Adding complexity to this burden of responsibility, many have become dependent on a hybrid cloud infrastructure as a solution to gaining a competitive advantage. Consequently, the variety of available tools present challenges based on cost and necessary restructuring to instantiate one centralised point. Additionally, many organisations lack resources to undertake this task. This highlights the challenges faced by a small organisation implementing the GDPR Article 17 Right to Erasure within a hybrid cloud storage environment. This paper aims to demonstrate that compliance with GDPR's Article 17 Right to Erasure is achievable in a Hybrid cloud environment. The can be obtained by following a list of best practice recommendations. While, 100 percent retrieval, 100 percent of the time is not possible, this paper illustrates that small organisations running an ad-hoc Hybrid cloud environment can demonstrate that ‘reasonable measures’ were taken to be Right to Erasure (‘Right to be Forgotten’) compliant.