Dear Ron Diaries: Vol. 1—International Privacy Careers + The Challenge of Data Deletion

Dear Ron—How do I pursue an international data privacy career? I have IAPP certifications, a Master’s Degree in Law and 5 years of experience in a national law firm as a privacy Counsel. I also act as an external DPO. What should be my next steps?

First of all, it already seems like you already have a lot of credentials. You have IAPP certifications. You have great experience with a law firm. You’re an external data protection officer already. This is a great start!

One thing I didn't get a sense of was whether or not you’re on the speaking circuit. I think that might be a really good next step in terms of elevating your presence in the community and getting some of that international exposure.

Above and beyond the conferences in the US, there's a ton of international conferences. There's one called the Privacy Symposium that takes place in Venice, which I mean, who doesn't want to go to Venice for a privacy conference? There's a couple in Brussels and there’s one called the Global Privacy Assembly that's happening in South Korea.

So, get on the speaking circuit, sit on panels, and get that exposure. Let people in the international privacy community know who you are and the perspectives that you want to share.

Also, if you’re currently still at that international law firm that’s another moment of opportunity. Coming from the big four (I was previously at Deloitte and PwC), I was always raising my hand when it came to projects that supported international clients, which gave me the incredible opportunity to develop privacy programs and conduct privacy risk assessments for clients in Europe and Asia. If you can get that international experience through your existing law firm, that would also be a really good step.

Again, I think you’re already on a really great track. I would just focus on elevating your presence in the community from an international perspective.

Dear Ron—Wondering about CCPAs 'Right to be forgotten' and deletion of data upon request in general. While I know, in practice, regulators understand you have to retain a modicum of data after a deletion request, so as to not perpetually add the same data subject back to your database over and over again. However, I was told there are laws that actually state in writing that you can retain some bits of data (e.g. an internal identifier). Can you point me to citations in either CCPA/CPRA or GDPR where it literally lays out those permissions?

When a deletion request is made, privacy professionals have to balance regulatory compliance with the need to retain certain data for legal or operational reasons. It's important to remember that deletion doesn't always mean "everything" has to be removed, but it does depend on specific conditions.

GDPR Article 17 lays out scenarios where personal data may be retained even after a deletion request, typically for legal reasons. This means that in some situations, you may retain a hashed identifier or minimal data to prove that a deletion request was carried out, or to comply with legal obligations. However, this data should be limited, anonymized, and secured, ensuring that it isn’t used beyond the specified purpose. The key is ensuring that any retained data is necessary and not processed in a way that would violate the spirit of the deletion request.

While I can’t provide specific citations from laws like CCPA, CPRA, or GDPR in every instance, it’s important to know that the overall principle is that personal data can be retained in certain legal contexts but not used in an ongoing or inappropriate manner. This should always be aligned with privacy best practices and retention periods that are reviewed and documented regularly.