One of the technically challenging requirements of the General Data Protection Regulation (GDPR) is the right to be forgotten. The purpose of this article is not to go into the details of this requirement, but to show you how the personal data erasure functionality can assist you in satisfying this requirement.
A simple way to think of what it means to be forgotten by software is to consider a scenario where a new portal administrator is hired immediately after a User’s right to be forgotten request has been honored. The new portal administrator has access to all of the Site’s content and administration capabilities. Despite this, the administrator must not be able to glean information that could lead her to knowing the identity of the User whose personal data was erased.
Conceptually, forgetting a User means two things, at a minimum:
- Erasing the User’s identifying information from the system. In Liferay DXP, this entails removing the User from database tables and search indexes.
- Erasing or anonymizing content the User has interacted with so it cannot be tracked to a real person.
Users can already be deactivated and then deleted, so why add new functionality? Deleting removes the User from the table of Users in the database. The User’s information is preserved in other locations, however. In a standard User deletion scenario, all of a User’s personally created content is still assigned to the User and her identifiers (User ID and User Name) still appear in the UI next to content associated with her. This unintentional preservation of user-identifying data is inadequate for satisfying some of the GDPR requirements and is the primary reason why the data erasure functionality was added in Liferay DXP 7.1.
To begin sanitizing a user’s data,
Go to Control Panel → Users → Users and Organizations.
Click the Actions button for a User () and select Delete Personal Data.
The User’s Personal Data Erasure screen appears.
Complete the five-step process sequentially to erase the personal data associated with the User.
Deactivating the User first ensures she doesn’t create more content as you’re sanitizing her from the system. Click Deactivate User.
The User’s public (profile) and private (dashboard) pages are deleted when the User is deleted. Separating this step out allows the administrator to make sure no information important to the enterprise is lost before the personal Site deletion is completed. Review the User’s personal Site (click the provided links to navigate directly there) and preserve any necessary data. Then click Delete Personal Site.
There’s no automated process for anonymizing application data (Blogs Entries, Wiki Pages, etc.). The administrator must review the User Associated Data (UAD: application content created by the User) piece by piece to determine that no data important to the enterprise is lost by deleting it and that no UAD can be gleaned from the content if anonymized.
After reviewing each piece of the data, the administrator either anonymizes it or deletes it to complete this step.
To enter the review process, click Review.
The Application Data Review screen displays a summary including how many content items in each application are associated with the User.
To manage (anonymize or delete) all the items for an application at once:
Click the Actions button () for the application.
If you’re sure all items for an application can be safely deleted, choose Delete.
If you’re sure simple anonymization is good enough for all of an application’s items, choose Anonymize.
To view the items for an application, choose View or click on the application in the table.
Clicking an item takes you to the view/edit screen where you can see the application’s items and take action.
Click the Actions button () for an item and select Edit, Anonymize, or Delete, as appropriate.
Once you’ve worked your way through the items and taken action, the view in the Application Data Review screen is updated to reflect that there are no more items needed to review. Click the Complete Step button once finished.
In step 4, you must click Anonymize Data. This completes the anonymization process for remaining database references to the User’s Name and ID. Some information is anonymized, but others, such as Notifications, are deleted as they don’t make sense once the User is deleted.
Once all data is reviewed, deleted, edited, and/or anonymized as appropriate, delete the User. This step is simple: Click Delete User.
Now the User’s data is anonymized or deleted, and the User is also deleted.