Saturday, August 4, 2018

Right to be Forgotten

We are falling asleep, just as the machines are waking up. - Amy Webb
More and more I’m thinking like an old man, who reminisces how it used to be. I’m nostalgic, not like it was better back in the day, just a different world. When the internet started, it was such a little club. I cared about SEO - trying to figure how I could make sure if you searched for my name you would find information about me. These days? Not so much really - in fact, I do the opposite. How do I make if you search for me you won’t find me. Let me just be an unknown person amid the masses.
At work we recently went through the process of implementing controls for Europe’s general data protection regulation (GDPR) and I am nominally the main privacy officer at the company so it fell under me to figure it all out. I have to say that I used to be annoyed by the “Right to be Forgotten” but under GDPR, that is a pretty inaccurate description of what it is - and I really like what it is.
Under GDPR, when a company is processing/storing a person’s data, it has to justify WHY it has a right to do that. It can be things like the data is publicly available, or needed to meet a contractual obligation, or needed to prevent fraud. Lots of reasons, but probably the most common one for a lot of processing is “consent” - the reason the company is allowed to do it, is because the person has said that the company is allowed.
So the “Right to be Forgotten” is really just the right to withdraw consent. If I told you that you were allowed to process my data - and now I tell you that you are no longer allowed, you need to go and delete my data. Pretty straightforward, right? I love it.
I enabled TweetDelete - goodbye all tweets more than 12 months old. I’ve often considered removing the archive here - like, it’s a nice nostalgia thing for me, but I’m not sure it needs to be forever part of the public record.