ComplyTrust And The Right To Be Forgotten

I came across a solution from ComplyTrust a little while ago and thought it was worth mentioning here. I am by no means any kind of authority with this kind of stuff so this is very much a high-level view.

 

The Problem

Over the last little while (decades even?), a number of countries and local authorities have tightened up privacy regulations in the hope that citizens would have some level of protection from big corporations mercilessly exploiting their personal information for commercial gain. A number of these regulations (General Data Protection Regulation, California Consumer Privacy Act, etc.) include the idea of “the right to be forgotten”. This gives citizens the right to request, in particular circumstances, that data about them is not kept by particular organisations. Why is this important? We have pretty good privacy protection in Australia, but I still get recruiters moving from one organisation to another and taking contacts with them.

How Does This Happen? 

Think of all the backups of data that organisations make. Now think of how long some of those get kept for. For every 1 restore you do, you might have made 100 backups. Depending on what an organisation is doing for data protection, there are potentially thousands of copies of records relating to you stored on their infrastructure. And then, when a company gets acquired, all that data gets passed on to the acquiring company. Suddenly it becomes that much more difficult to keep track of which company has your data on file.

Not a week goes by where I don’t get an offer to buy contact details of VMware users or people interested in cloud products. There is a whole world of B2B marketing going on where your details are being sold for a very low price. Granted, some of this is illegitimate in the first place, so regulations aren’t really going to help you. But the right to be removed from various databases around the place is still important, and something that governments are starting to pay more attention to.

The challenge for these organisations is that they can’t exactly keep a database of people they’re meant to forget – it defeats the purpose of the exercise.

 

The Solution?

So what’s one possible solution? Forget-Me-Yes (FMY) is a “Software-as-a-Service API Platform specifically manages both organizational and individual Right-to-be-Forgotten (RtbF) and Right-of-Erase (RoE) compliance of structured data for Brazil’s LGPD, Europe’s GDPR, California Consumer Privacy Act (CCPA),  Virginia CDPA, Nevada SB220, and Washington Privacy Act (WPA)”.

It’s a SaaS offering going for US $39.99 per month. To get started, you authenticate the service with one or more databases you want to manage. In version 1 of the software, it only supports Salesforce. I understand that ComplyTrust is looking to expand support to get the solution working with Shopify, Marketo, and a generic SQL plugin. It stores just enough information to uniquely identify the person, and no more than that.

 

Thoughts and Further Reading

Some of us want to be remembered forever, but most of us place more value on the choice not to be remembered forever. As I said at the start, I have very little real understanding of the depth and breadth of some of the privacy issues facing both citizens and corporations alike. That said, working closely with data protection offerings on a daily basis, and being focused on data retention for fun and profit, I can see how this is going to become something of a hot topic as the world gets back to spending time trying to understand the implications of keeping scads of data on folks without their consent. Clearly, a solution like this from ComplyTrust isn’t the final word in addressing the issue, but it’s nice to see that folks are taking this problem seriously. I’m looking forward to hearing more about this product as it evolves in the next little while.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.