Ask HN: How are you implementing GDPR-compliant soft deletes?
The idea: Customer requests account or item deletion, you set it to "deleted" in DB without actually deleting it and it helps for documentation purpose should the dispute arise over some issue in future.
85 comments
[ 3.4 ms ] story [ 154 ms ] threadhttps://gdpr-info.eu/art-17-gdpr/
> the controller shall have the obligation to erase personal data without undue delay
If you want to expire something, you can now easily calculate it and you can even easily change the timeout/lifespan without having to update the data in the database.
[edit to clarify that you wipe the customer details]
If I restore a backup it will go via this list and ensure that content in my backups which are keyed to deleted accounts are never restored.
In theory we have the data, but it's never reachable by internal systems. -- Anything else is essentially compromising the integrity of a backup.
1. The most extreme, go back to all of your backups and delete them too.
2. You don't need to do anything, if you do not touch the backups and truly treat them for disaster recovery.
3. Your backups need to have reasonable retention (e.g. two year) and way to apply post requests after recovery.
4. A lot of in between.
5. My personal interpretation is that in first year of GDPR there will be so many companies that are not even trying to be compliant. Any companies showing any reasonable efforts will be just left alone and at worst heard some recommendations. Of course ad-tracking companies might get screwed, but their business model seems to be incompatible with GDPR.
Also right to erasure can be tricky (e.g. what if you keep records for support/warranty purpose). What you should do if someone exercise their right to be forgotten and than ask you for refund.
Edit: I see you mean retention, I guess if you discover after a year that your backup routine is malfunctioning and you need older backups but that is not that common I'd guess.
[0] https://en.wikipedia.org/wiki/Write_once_read_many
If you're datastore is small (e.g. SQL table), but supersensitive (E.g. financial data), you may want to keep backups for really long and on medium that doesn't allow easy modifications (e.g. tapes or AWS Glacier).
I know some government (e.g. Poland social security) keep several backups in many locations for many years just as a redundancy.
It’s not clear yet how that is going to shake out.
https://news.ycombinator.com/item?id=16366864
There are some provisions for those situations.
And on the subject of backups, those are typically exempt but there are some obvious problems there when you restore a backup at a later time.
To me the big ticket items in the GDPR are the notification duty and the data processing agreement 'chain' that gives some level of certainty that the companies you deal with are going to take this serious.
The implementation details and all the moving bits and pieces are most likely not going to be the parts where the real tests will be in the first year or two.
I’m putting essentially everything in the we’ll see category.
It looks like the GDPR at least gets people's attention.
But a possible solution may be to disassociate the data from the customer (as long as the data itself isn't considered 'personal data'). For example, if the reason the data falls under GDPR is because it is connected to the customers email address, you could clear the email address. But that wouldn't let you ever re-associate it. But you could maybe (but don't take my word for it) one way hash the email address (bcrpyt, etc.) and if a dispute arises in the future scan the hashes for a match of the person raising the disputes email address in order to re-associate the data.
It'll depend on the kind of data you're talking about. If you are obligated to keep that data for legal purposes then there's no working around that. But then make an effort to only keep exactly the data you need.
However in the context you're asking - absolutely do delete where possible. If not possible then pseudo-anonymization is a way of dealing with this.
What about symmetric encrypting the field(s) and then giving the customer the key, and tell them to print it or store it safely, or else they won't be able to recover? And then don't store the key or write it to disk (remove it from memory)
I can see the purpose of "right to be forgotten", but I think in some circumstances it is going to be abused. Any service that "bans" users for fraudulent/abusive activity and stores data about the banned user to prevent them from creating new accounts is going to have a problem. Banned user can just request to be forgotten and then create a new account. Unless there is some exception within GDPR that will support this use case.
https://gdpr-info.eu/art-17-gdpr/
You're allowed to ignore deletion rules for the purposes of:
3 Paragraphs 1 and 2 [the rights to be forgotten] shall not apply to the extent that processing is necessary:
(e) for the establishment, exercise or defence of legal claims.
- have a legally trained person review your eventual solution and your reasoning behind it
- document the exceptions, which laws and which datums it covers
- keep track of the law as it changes, especially with new bodies of law such as the GDPR you can expect updates to reflect the situation on the ground and in a way the GDPR itself is such a change.
- be prepared to review the situation/code if the law changes in the future
- be aware that 'data retention' laws are very different from one industry to another (for instance telecommunications is a totally different beast than e-commerce)
Compliance with tax & financial regulations counts as a "legal ground". But that doesn't mean companies can retain all of the email history.
This can get quite complicated, moreso if a company deals with both consumers and companies as customers.
If you are required to hold on to the data for legal purposes such as dispute settlement, there is no issue. The customer can request you delete such data but you have no obligation to do so. Issues arise when holding on to the data is no longer "necessary". At that point soft deletion is not enough and you must be able to remove personal data regarding that customer from your systems. Source: IP lawyer I talked with last week on this.
From what I can tell, one good way of going about this in case you really do not want to throw away data – such as when you're doing event journaling – would be to have all personal data encrypted. When the data reaches its expiration point or is requested for deletion, throw away the decryption key and all you're left with is is the metadata which you are allowed to hold on to for purposes of running your business.
EDIT: This concept is called 'cryptographic deletion'. Here's one whitepaper on the subject. http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.397....
GDPR says you must delete information about the customer; but there are cases where you still might need to have that data available.
If your customer can interact with another one inside your app/platform, he/she can commit a crime, and you might be required by court (and by law) to disclose some information (even conversations! inside the platform).
Setting something to "deleted" might not be the best way to do the actual soft delete.
Sometimes you can "delete" that user moving it to a separate part of an LDAP branch (where nobody except someone with authority can access).
In other cases, you can add the "deleted" flag on the table. If so, MAKE SURE your app access the data from a view of the table where the 'deleted' users are not present. Even better: partition the underlying table based on the "deleted" field to physically separate active and deleted users.
But whatever you do, ask your Data Protection Officer first.
Every year we look at quite a few companies, this is the first year that I've spotted a DPO in the wild, and impressively, they even knew their stuff.
https://www.eugdpr.org/key-changes.html
Maybe his company doesn't need one. Of course, whether he has a DPO or not, still the question remains of how to "properly" delete the personal data.
So, in summary: likely the vast majority of the companies affected is only now starting to wake up to the fact that they are affected, for quite a few of these companies the effects will be relatively benign unless their servers are compromised, for the more serious offender and the larger companies that have not yet started to address these issues it is likely too late to get anything done in time but since this goes for the vast majority of them they are simply playing a complicated game of Russian roulette with the oversight bodies and a couple of them will undoubtedly get lucky to great relief of the remainder.
Data protection authorities tend to be vastly understaffed, but this too will hopefully change in the future.
It would be interesting to know whether the big companies have addressed (at least partially) their GDPR compliance. Maybe they do just "play Russian roulette" like you said, and hope for the best.. Of course, implementation guidelines are not yet fully defined (like WP29 opinions, some of them will change, even then, those opinions are not legally binding).
Note that my sample is relatively small and mostly western European countries (nl, be, de, uk).
I've seen one in all of 2017 (out of ~20 companies).
> Is it an internal or external person?
In that case it was internal
> How technical are they?
More legal than technical, but that's a very small sample.
> I'm a developer and I have a law degree; would that put me in an advantageous position to become one?
Yes. In fact that's probably one of the most lucrative combinations of fields.
> Is there a market for 'consulting DPO's', like companies hire accountants, if that's allowed?
YES! In fact if you are halfway decent this would be an extremely lucrative thing to do, but it probably will become less so over time as the knowledge gets diffused.
1) It was not their main role
2) It was a token gesture, someone to address post too!
Every consulting firm I know is trying to sell GDPR services atm...
That is: Remove all personal information - email, name, surname, etc..
Disclaimer: I'm a fan of anonymisation because I'm working on a project to bundle this in to a service - https://anon.ai - would be great to understand more about your use case.
Define capable. Look at this thread as an example. Many answers contradict each other. There are so many ways to interpret the guidelines, which in many cases have not been thought through.
I have engaged in discussions with 5 companies located in the UK. All gave differing answers on specific questions relating to data for marketing, finance, and fraud.
You need to know the law inside out to be able to tell someone exactly what to do in their situation. We - our little band of friends - have been reading up on this subject since the previous privacy law was enacted and all I can tell you is that it is much easier to spot things that are in conflict with the law(s) as written than to come up with a single workable solution that does not leave things open to interpretation.
Even so, these laws are good, they will force people to wake up to the underlying issues and to begin to think about their responsibilities when before the mantra seems to have been that any effort spent on privacy and security is better spent on growing the business because otherwise the other guy that doesn't care about those things will eat your lunch.
Was it?
Let me be blunt for a second. When someone asks for recommendations. If you are able to help that person, then please do so. It helps them and it may help others in the HN community.
What you should not be doing, is your previous reply. In no way was it warranted, nor was it solicited.
If you wish to make such statements known. Feel free to post your own comment or replying elsewhere.
I cannot believe some elements of HN behave in this manner.
No. Recommending commercial entities to others is not what HN is for.
If you want such a thing you are more than welcome to contact me or others out-of-band.
> It helps them and it may help others in the HN community.
Yes, or it may steer them in the wrong direction entirely.
I don't think this sort of advice is best dispensed through a public forum, reputations of companies are at stake and without enough context it is impossible to make a good advice to begin with.
It is closely related to people dispensing legal advice in forums, better yet if they're not lawyers. The line that comes to mind is 'advice is worth what you pay for it'.
> What you should not be doing, is your previous reply. In no way was it warranted, nor was it solicited.
That's your opinion, mine is a different one.
I get regularly asked to recommend services or companies (by those companies and by their prospective customers) and as a rule I will only do this if I familiar with both parties and consider them a good fit.
That's a thing borne from experience, which again you may disagree with but this has served me well over the years.
> I cannot believe some elements of HN behave in this manner.
And I can not believe that you feel that you are doing any better with this comment.
1) Act in good faith. DPA fines seem to have been to people who had a blatant disregard for data protection and their customers, not those who tried hard but committed some technical breach.
2) Whenever new rules come out there is a long period of interpretation. Unless you are in a very high risk category I wouldn't 'throw the baby out with the bath-water' in the interim.
3) Documentation wins court cases.
4) Personally I was already trying not to have my data stolen, so I am not overly concerned by GDPR. I am updating some policies, employee handbooks and terms. I will watch how other companies deal with it before I act too rashly.
On the whole I think your approach is a very balanced and reasonable one, especially the 'act in good faith' bit. What surprises me is that plenty of companies explicitly do not act in good faith and try to interpret the directive creatively so that they can continue to do what they were already doing without modification. That's asking for trouble in my opinion, some companies in that bracket will find themselves in the un-enviable position of being used to educate the rest.
Especially in adtech and marketing there will be a lot of tension between business goals and the law as written and the finer you want to ride that line the more important it becomes to have competent guidance.
Firstly, download the regulation itself. At the very least, read article 17. Article 17 concerns something called "The right to be forgotten". It is about 25 lines of legalese. Once you have read it, have a think about it. Then read it again and have a longer thing about its implications. Then, just to be sure you have not gone stark staring bonkers, read the rest. Carefully. Be under no illusion, the GDPR is a game changer in information management terms, let alone anything else.
Also, if you want to make a larger comment it is usually possible to resize the input field.
Important is also how you handle data analytics and this is why we're deploying high restrictions on raw data. Analytics will only be able to be done through an analytics service which can give the employees access to only certain parts of the data which is approved for the use-case. We're using Apache Sentry for fine grained role based authorisation to data and metadata and a directory services for user auth.
Things we've learned:
* Minimise data usage
* Don't use personally identifiable data
* You will need to be able to prove consent when it comes to data usage and it cannot be consent by default, it has to be opt-in
* Log all data access so that use cases can be proved. This needs to be evaluated and audited
* Encrypt in transit and at rest
* Centralise mapping for all data
Understand what your lawful basis for storing and processing the data is, and that dictates how you need to handle it. Plenty of people throw around large fines and rights to be forgotten and make sweeping statements about "you can't keep X data/we can hash things!/delete all the things". You have a number of potential reasons for storing or processing data. Legal reasons, contractual reasons, consent based reasons - data subjects have different rights depending on the reason you're storing the data (there is a list of these reasons; see below.)
I may be keeping data because I have a contract with a client, and I require the data. An example of this would be an email address stored as a login. My legal basis for storing the information is contractual (I have a contract with my client). Does the data subject (in this case, the user who's email it is) have a right to erasure? No. Can I store the information in my Amazon RDS instance in Virginia? Yes. Provided I've explicitly stated it, and been transparent about how and where I'm storing and processing the data, and my client has agreed. Do I need to secure and look after the data? Yes. Obviously. Do I need to get to get consent from the user? No. That wasn't the legal basis for storing the information.
What about consent based stuff? I may have someone subscribe to my mailing list. I get their consent. Therefore, the legal basis for storing and processing is consent. That consent should be time limited, and I should be transparent about it. I need to give them the means to review, withdraw and act on their consent should they wish to.
What about keeping a record of a person you've deleted because they have requested it? You can store this. Lawful basis is that it's a legal requirement. If you go and use the data for any other purpose, it's not allowed - because that would require their consent.
If you want to understand lawful basis, this is a good overview - https://ico.org.uk/for-organisations/guide-to-the-general-da...
Trying to wade through one half of the GDPR and its requirements without understanding lawful basis leads to confusion, because you'll keep hitting cases that seem completely unreasonable (because they may not be required). Trying to paint the law vague and unreasonable defeats the point - it will become less vague over time. It makes privacy a first class citizen (something we sorely need), and will become more specific as it's tested in the courts, just like any other law in jurisdictions that value legal precedent.
Get to know it and work with it - this is not your mother's EU cookie law.
And secondly, I am going to ask someone I know who is a legal eagle to sign up to this site. She is very clever and knows this stuff backwards. She also has an aspiration to come and work in the US....