Forgotten @ Scale: A Practical Solution for Implementing the Right To Be Forgotten in Large-Scale Systems

TL;DR

This paper presents a practical design pattern and implementation for enabling the right to be forgotten in large-scale, distributed data systems, addressing technical challenges in compliance with GDPR.

Contribution

It introduces a novel, practical solution for implementing the right to be forgotten in large-scale, complex data environments, which was previously lacking.

Findings

Demonstrates a scalable implementation approach

Addresses challenges of distributed data deletion

Ensures compliance with GDPR requirements

Abstract

The European General Data Protection Regulation asserts data subjects' right to be forgotten, i.e., their right to request that all their personal data be deleted from an organizations' data stores. However, fulfilling such requests in large-scale systems is technically challenging. It requires that organizations keep track of all locations in which an individual's data is stored, be able to access and delete it in a reasonable time frame, and be able to prove that all such data was in fact deleted. In addition, organizations must cope with complexities such as multiple, distributed, and continuously evolving systems of record, complex data retention policies and deletion approval workflows. We present a first design pattern and practical implementation of the right to be forgotten on a large scale in Big Data and cloud environments.