Deletion Concept

Data deletion orchestration based on the right to be forgotten

General data protection

The General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and of human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. The GDPR's primary aim is to enhance individuals' control and rights over their personal data and to simplify the regulatory environment for international business. Superseding the Data Protection Directive 95/46/EC, the regulation contains provisions and requirements related to the processing of personal data of individuals who are located in the EEA, and applies to any enterprise — regardless of its location and the data subjects' citizenship or residence — that is processing the personal information of individuals inside the EEA.


Enforcement

  • The GDPR was adopted on 14 April 2016 and became enforceable beginning 25 May 2018. As the GDPR is a regulation, not a directive, it is directly binding and applicable, and provides flexibility for certain aspects of the regulation to be adjusted by individual member states.
  • The regulation became a model for many other laws across the world, including in Turkey, Mauritius, Chile, Japan, Brazil, South Korea, South Africa, Argentina and Kenya. As of 2021 the United Kingdom retains the law in identical form despite no longer being an EU member state.
  • The California Consumer Privacy Act (CCPA), adopted on 28 June 2018, has many similarities with the GDPR.
  • It is planned that the new Swiss data protection law (DSG) will come into force on September 1, 2023 in Switzerland. The necessary decision by the Federal Council has yet to be made.

The right to be forgotten

Article 17 GDPR: "Right to erasure" also known as "Right to be forgotten"

A right to be forgotten was replaced by a more limited right of erasure in the version of the GDPR that was adopted by the European Parliament in March 2014. Article 17 provides that the data subject has the right to request erasure of personal data related to them on any one of a number of grounds within 30 days, including noncompliance with Article 6(1) (lawfulness) that includes a case if the legitimate interests of the controller are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data.


More information


Business object dependencies

Your company uses multiple software applications to store and manage diverse data. The data in these applications is in turn related to each other. Personal data must be able to be completely deleted according to the above information on GDPR and Article 17. In order to ensure that your company survives an audit based on Article 17 of GDPR, the following main points need to be clarified:

  • Which types of business objects contain personal data and how to group them?
  • After which retention period they have to be deleted according to the right to be forgotten?
  • Is there knowledge about the dependencies of this business object types in the company?

The knowledge of these main points is of crucial relevance for the deletion of personal data in your company, since the sequence of deletions within dependent business object types is based on them. The following figure illustrates the situation.



Deletion process automation

If the number of business object types to be deleted exceeds a value that is no longer manageable for manual deletion, the company will need to automate deletion. This is also the case especially if the dependencies between the business object types are complex and different applications have to be considered. Manual deletion errors can be avoided and a deletion evidence for audit reasons will be created.

A then required deletion automation system that orchestrates the enterprise applications for deletion consists of the following main processes during the automation. The technical setup and business configuration, such as the named business object types and orchestration sequences, have already been done.

  • Identify - Identification of personal data which needs to be deleted and the deletion orchestration requests with differentiation of application types, business object types and allowed combinations.
  • Validate - Validation on business object level of accuracy, manual approvals, deletion locks, legal holds, automatic veto checks against the deletion.
  • Delete - Deletion of the business objects itself by the commissioned application.
  • Document - Collection of information on deletion evidence for audit purposes and statistics on deletion process, key performance indicators, alerts or error cases.