Affects Version/s: None
Fix Version/s: None
Component/s: User Management > Personal Data
Epic Status:To Do
GDPR's right to data erasure, also commonly referred to as the right to be forgotten, empowers data subjects to request the deletion of personal data from a data controller where there is no longer a compelling reason for continued processing. Unless the data controller has a compelling reason to object to the request (legal requirements, public interest purposes, etc), personal data must either be deleted or anonymized in such a way that the data subject is no longer identifiable. Though deleting personal data may be the most thorough means of ensuring compliance, it may be unduly harmful or disruptive to the interests of the data controller. Alternatively, the data controller can choose to anonymize data. Once properly anonymized, personal data falls outside the scope of GDPR and is no longer subject to its regulations.
The bar for proper anonymization is high. Simply renaming the user and deleting personal details like his/her address, phone number, etc is likely insufficient. It’s possible the user may have uploaded personal photos, shared contact information in a forum post, revealed anecdotal details in a blog post, etc. Such information can be used to relink the anonymous user to the original data subject which would violate the regulation. Special care must be taken to evaluate whether personal data may reside outside of content and activity directly contributed by the user. For example, user Jane may start a forum post asking a question. User Joe may reply with “Jane, you might find this useful ...” In this example, the reply is created by Joe but contains personal data about Jane (her name) that can be used to reidentify Jane even after her name is anonymized. As with data portability, evaluating whether such content is considered personal will need to be evaluated by the data controller.
As a data controller, I want a user interface to anonymize a user’s personal data.
Provide a UI and programmatic interfaces to anonymize or delete personal data stored on Liferay when a user invokes his right to “data erasure”.
The data controller will be provided a UI to initiate a user’s right to erasure. The UI will present options to either anonymize or delete for each application.
When invoked, each application will need to determine where personal data may be stored for the requested user and how to appropriately respond to the request. If a delete is requested, it may be sufficient to simply delete all instances of data associated to the user. However anonymization will likely be a common option chosen by data controllers as it's potentially less disruptive. For example, a user may have posted a blog sharing tips on upgrading to DXP. Simply deleting the post would cause unnecessary loss of valuable information, so instead anonymization will be preferred.
If anonymization is requested, applications will need to determine how to modify personal data. For example, in dealing with a street address, the data controller may choose to remove all details but keep the zip code for future analytics purposes. The data controller must properly audit how data is being anonymized to ensure the data subject is truly no longer identifiable.
For instances where the application cannot programmatically determine whether data is considered personal, the data controller will need to review the data. We can use the same export logic described in the “personal data portability” feature but only export data flagged as indeterministic by the application. The data controller can review this data and respond accordingly. For example, a blog app will need to mark the title and content of a blog as indeterministic as the blog may or may not be considered personal. If the content is deemed personal, it must be properly anonymized. For this version, we’ll assume most applications will have interfaces permitting administrators to edit the content. If not, we will leave the option for the administrator to invoke the delete option.
- Admins have the option to “delete/anonymize personal data” for a selected user
- Choosing “delete/anonymize personal data” presents a UI showing all the applications that store personal data. The list of applications is those that have implemented the programmatic interface mentioned below.
- Admins can select whether each application should “delete” or “anonymize” personal data
- Programmatic interface for applica tions to either delete or anonymize a user’s personal data upon request.
- If anonymization is requested and the application cannot determine whether data is personal, it will indicate a status that further evaluation is required.
- The UI will show an “export” option for each application with an indeterminate state that uses the same logic as the export feature in “personal data portability” to export the indeterminate data.
- The UI will also show a “delete” option allowing the admin to simply delete the indeterminate data.