Forgetting personal data and revoking consent under the GDPR: Challenges and proposed solutions

Abstract

Upon the General Data Protection Regulation’s (GDPR) application on 25 May 2018 across the European Union, new legal requirements for the protection of personal data will be enforced for data controllers operating within the EU territory. While the principles encompassed by the GDPR were mostly welcomed, two of them, namely the right to withdraw consent and the right to be forgotten, caused prolonged controversy among privacy scholars, human rights advocates and business world due to their pivotal impact on the way personal data would be handled under the new legal provisions and the drastic consequences of enforcing these new requirements in the era of big data and internet of things. In this work, we firstly review all controversies around the new stringent definitions of consent revocation and the right to be forgotten in reference to their implementation impact on privacy and personal data protection, and secondly, we evaluate existing methods, architectures and state-of-the-art technologies in terms of fulfilling the technical practicalities for the implementation and effective integration of the new requirements into current computing infrastructures. The latter allow us to argue that such enforcement is indeed feasible provided that implementation guidelines and low-level business specifications are put in place in a clear and cross-platform manner in order to cater for all possible exceptions and complexities.