The amount of personal data collected by businesses, including New Zealand startups, today is astounding. One of the outcomes of this is the complexity of ensuring your users have the “right to be forgotten.”
Just think about your own smartphone usage; when signing-up for an app like Uber, you might use your Facebook login for ease, which means has Uber access information such as contact details, friends, location and more. In return, Facebook can access details on a customer’s travel patterns.
However, with the implantation of restrictive data protection laws such as the European Union’s (EU) GDPR rules, and New Zealand’s own Harmful Digital Communications Act, this kind of unchecked spread of consumer information by start-ups is set to change and offer people a right to be forgotten.
What is GDPR?
GDPR is an acronym for General Data Protection Regulation. It is an EU regulation that will come into effect on May 25, 2018 and generate the biggest changes in data protection in the EU since 1995. GDPR was created to bring as much uniformity into data protection as possible and is a regulation far better suited to the challenges today’s digital world poses.
In many cases GDPR will apply to businesses, including New Zealand start-ups, not actually based in the EU as well. For example, even if you are a ‘tiny-house accommodation finder’ service based out of Wellington, but are monitoring the behaviour of guests that takes place within the EU, such as booking trends out of Germany, you must comply with the requirements of GDPR. It even applies to website visits from users that are in the EU, regardless of whether they are EU citizens or not.
What is a right to be forgotten?
New data protection laws, such as GDPR, pose significant challenges for all startups as they include provisions around a customer’s “right to be forgotten.” In practical terms, a right to be forgotten means that any person your business holds information on (be that an email address for a newsletter, or customer details for a loyalty / rewards program) can ask you, at any time, to forget everything you know about them. Forever.
On receiving a right to be forgotten request, a business must then take all steps necessary to remove all customer data they are holding. While there are some exceptions, such as if the data if the data is needed for a legal claim, most of the right to be forgotten requests a start-up receives will have to be actioned.
What does it mean for New Zealand startups?
On the face of it, a person requesting that your business deletes all of their personal data may seem like a simple request— just delete a record when asked. However, the reality is very different. In many startups data is not always held in one system so “removing that record” swiftly becomes “removing multiple records”, especially for businesses with multiple offices and systems.
To complicate this further, the process itself could be initiated through a range of channels such as website, direct email or mobile application. Regardless of where the request comes from, it’s important that the process remains the same across the business.
When your new business is looking to build its own “right to be forgotten” process, you need to consider four specific items:
- the mechanisms that the customer can interact with to initiate the process;
- the mechanisms for removing the customer’s data;
- the audit trail;
- and the reporting mechanism to the customer (e.g. email notifications of the deletion process).
Further complicating matters is the fact that New Zealand based startups often work with partner organisations and outside agencies to help market their products and services to existing and potential guests. In these instances, customer data may not only be in multiple systems and locations within a business, but data may be held by other external organisations as well.
To ensure that you know exactly where customer data is when working with third parties, it is important that all startups follow proper process. The process starts with identifying the systems and channels that the external partner is working with for you, such as marketing software.
Businesses then need to understand what functionality is provided by the software, or systems, supporting the project with the outside party. From this, a startup should be able to understand who is gathering guest data, at what point, for what purpose and where it is stored. From there any gaps can be identified to resolve and an audit framework can be put into place. Businesses also need to consider timescales involved in removing a customer’s account and determine the mechanism for informing the customer of this.
Meeting the challenge
In an interconnected world where every online interaction is collected, recorded, analysed, and companies often know more about people than they know about themselves; governments are developing regulations that restrict how, when and where all businesses collect data.
Ensuring that your startup has the right processes in place to assist customer requests around their data, including the right to be forgotten, is a challenge all businesses must address.