Upcoming EU Privacy legislation has potential high impact to both public and public sector operators and especially digital services including web shops. This is no news to many, who have dwelled into the topic a bit deeper than the mere surface. Under the surface one starts to understand the complexity that “simple” requirement like the e-client’s or e-citizen’s Right to be forgotten.
Not many operators are mature enough in their information architecture (where everywhere the data under privacy’s scope resides) and agile in rapid process development to easily establish transparent, repeatable and low-cost daily-routine processes to answer to subject’s will to remove all personal data on her from all systems and operations. And last but not least – being able to prove that this has really been successfully carried out.
I desire not to present gloomy judgement day talks on the topic with prophesies how damn hard it’s going to be. Rather, trying my best to present ideas and solutions on how to best to tackle the legislation requirements.
One of the hints I gave, speaking at a Privacy -conference arranged by Prague Security Studies Institute (thanks guys for the invitation!) was the principle of data minimization. It’s not a silver bullet, not even sterling silver one, but I do see a possibility to make the upcoming job much easier, if one gives a moment or two to really think about the data minimization.