On 25 May 2018, the General Data Protection Regulation (GDPR) Article 17, the Right to Erasure (“Right to be Forgotten”) came into force, making it vital for organisations to identify, locate and delete all Personally Identifiable Information (PII) where a valid request is received from a data subject to erase their PII and the contractual period has expired. This must be done without undue delay and the organisation must be able to demonstrate that reasonable measures were taken. Failure to comply may incur significant fines, not to mention impact to reputation. Many organisations do not understand their data, and the complexity of a hybrid cloud infrastructure means they do not have the resources to undertake this task. The variety of available tools are quite often unsuitable as they involve restructuring so there is one centralised data repository. This research aims to demonstrate that compliance with GDPR’s Article 17 Right to Erasure (“Right to be Forgotten”) is achievable in a hybrid cloud environment by following a list of recommendations. However, full retrieval, all of the time will not be possible, but we show that small organisations running an ad-hoc hybrid cloud environment can demonstrate that reasonable measures were taken to be Right to Erasure (“Right to be Forgotten”) compliant.
This is an open access article distributed under the Creative Commons Attribution License
which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited