Hello and welcome once again to Impero’s ongoing series on the upcoming General Data Protection Regulation and its impact on the use of remote access and control software. This week we’ll be digging into the “right-to-be-forgotten.” More specifically, the rights of access, portability, rectification, and erasure. Let’s take a look at each of these individual rights:
- The Right of Access. Simply put, if an organization is storing personal data, the data subject should be able to access that information.
- The Right of Portability. The data subject should be able to export or move their personal data.
- The Right of Rectification. After a data subject has accessed their personal data and reviewed the information therein, they must be able to correct any errors.
- The Right of Erasure. Finally, the data subject has the right to erase their personal data from an organization’s records.
Remember, the definition of “processing” data provided by the GDPR is quite broad:
”‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”
– Article 4, definitions
For the purposes of remote control, the rights of access, portability, rectification, and erasure really apply only to the storage of personal data, and as we have previously discussed, data storage primarily takes place in the configurations, settings, and log files. In other words, if you are storing someone’s data, be it an employee or customer, it’s likely you must also grant them these four rights.
Realistically, granting access to configurations and settings does not align with the fundamental aim of the GDPR. This is an instance where businesses likely have an overriding legitimate interest. For example, granting a data subject access to their device’s configuration files is non-purpose driven and probably conflicts with the business’s security policy, which could supersede the GDPR requirement. However, the right-to-be-forgotten does make sense regarding remote device configuration files and settings. Whenever you’re storing personal data on an employee or customer, you must be able to delete it upon their request. Therefore, having a system in place to locate and expunge personal data is incumbent on administrators of remote access. For larger organizations, this means these enormous data sets be centralized, otherwise locating, accessing, and erasing personal data will be a nightmare. We recommend you have a mechanism to centralize that data storage, so you can provide these rights of access, portability, rectification, and erasure.
Granting a data subject access to the log files of a remote access session also aligns with the principles and precepts of the GDPR. For example, if your remote control solution includes an integrated chat tool and you’re logging chat records, it needs to be stored in such a way that it can be accessed, transferred, as well as corrected and deleted.
Again, the GDPR does grant businesses rights of their own. The principle of overriding legitimate interests ensures that businesses are not forced to follow rules that are impractical or risky. As a security measure, there will almost certainly be audit records that no one can alter. Businesses should determine what information is completely necessary to meet other regulations and security policies and limit data storage accordingly. You can read more about that in our previous post on data minimization.
Keep a look out for our upcoming eBook on the General Data Protection Regulation. In the meantime, we’ve got you covered for all things GDPR compliant remote access: our infographic asks 8 questions to ensure compliance, our latest eBook is the definitive guide to preparing your remote solution, and our GDPR checklist will ensure all your bases are covered.
And as always, subscribe to our blog for more news and information on the wild world of remote access and control.