Nearly all talk of the GDPR—Europe’s new data protection legislation—has been around privacy, such as checking what data companies are collecting on you as a user. But plenty of people, including in many cases Americans, can use the GDPR for something else: to preemptively demand a company delete their data in anticipation of a hack.
In other words, the legislation provides another way those who care about digital security may want to use to clean up their online presence, lowering the chance of hackers obtaining sensitive and personal information.
Hackers often dig through data breaches to find a target’s password, username, or physical address. Journalists do it too, often relying on hacked data to surface new details about a subject. But you may not want to give anyone the opportunity to do so, so could remove that data in advance.
For example, Motherboard recently filed a so-called subject access request with an online take-out food service. The company provided a copy of all the data they said they held linked to specific email address I owned. But perhaps more importantly from a security point of view, the company also said they deleted all of this data, which included the IP address used for each order and the physical delivery address.
Got a tip? You can contact this reporter securely on Signal on +44 20 8133 5190, OTR chat on firstname.lastname@example.org, or email email@example.com.
You’ll likely need to email each company one by one, and different companies have varying ways of getting in touch. Some have a dedicated email address for these sorts of requests, others have a more general inbox. But it’s possible to streamline at least some of the process with a website such as MyDataRequest.com, which already has request templates and details on some major companies.
Once you’ve got the right contact details, it sometimes just involves emailing the company or filling out a form with language such as “I ask that you permanently delete any and all data associated with my activities on your site.” Take Amazon for example: they have a dedicated portal for submitting requests here.
Some companies may request proof of identity beyond just an email from the respective address, but others processed the request without asking for extra information in Motherboard’s tests. A week or so later, you may get your desired response.
Whether you specifically will be able to ask a company to delete your data matters on a few different things, including where the company itself is registered and where you are based.
“If the company is established in the EU, the US citizens just need to ask,” Neil Brown, a lawyer focused on the internet and technology at specialist law firm decoded:Legal, told Motherboard in an online chat. If the company was not established in the EU, someone in the US is out of luck, Brown said. EU residents will still be able to request deletion from a, say, Silicon Valley company. Brown added that, however, the right of deletion “is far from absolute.”
But, as Motherboard found, this use of GDPR as a security mechanism will work for some people. So perhaps if you have that old account containing a load of personal information, maybe it’s time to get it scrubbed.