The General Data Protection Regulation (GDPR) is designed to give individuals better control over their personal data. As part of this, and in certain situations, the new law empowers data subjects to ask for their data to be erased, otherwise known as the “right to be forgotten”.
Your organisation needs to get to grips with how and when the new rules on erasure apply. You also need to make sure that you’re equipped to respond to valid data erasure requests as and when you get them.
So does your business have what it takes to deal with the so-called “right to be forgotten”? The Hub is on hand to help you get it right…
What is the right to be forgotten?
It states that if certain specified conditions are met, individuals have the right to request that their “personal data” that you control – be deleted.
If you’ve received a valid data erasure request, you must respond to it “without due delay”, and within no later than a month of the request. This period can be extended in limited circumstances – e.g. where it’s a complicated request involving large quantities of data.
Here are the situations where the right to be forgotten applies:
- Where possession of the data is no longer needed. You must only collect data in relation to clearly defined purposes. If it’s no longer required for the specified purpose, the data subject can request erasure.
- Where the data subject withdraws their consent, or objects to the data processing and where there is no good reason to continue with the processing. This could include situations where customers cancel their contracts with you.
- Where the data shouldn’t have been processed in the first place. For instance, it turns out that you’re holding a customer’s data without their consent or any other legal basis.
- To comply with a legal obligation.
- The data relates to the offer of “information society services” to a child. An example of this could be where a child opens an account for a streaming service without parental consent.
Are there any exceptions?
The right to erasure isn’t absolute or unlimited. The exceptions to it include the following:
- For the controller to exercise its “right of freedom of expression and information”. This exception is likely to be of particular relevance to media outlets.
- Public interest purposes. There might, for instance, be a legitimate reason for archiving certain types of data (health information, for instance) for research purposes.
- Defence to legal claims. One example is where a former employee requests the deletion of their HR records, but you have reason to believe they may be considering bringing a claim against you under employment law.
Will it affect my organisation?
It affects all types of data controllers, whatever their field of business. Imagine the prospective job applicant who uploads their CV on spec to your careers page. If they change their mind, they may exercise their right to erasure and ask that you delete all details you have on them.
You may also find that data subjects seek to exercise their right to be forgotten alongside other rights. Consider, for instance, the client who is thinking of jumping ship. They start off by asking you to confirm what data you hold on them (the right of “access”); they request that their details be transferred to another company (the right to “data portability”), and they follow up with a request for their records to be deleted (the right to “erasure”).
If you can’t or won’t comply with these requests, it exposes your organisation to the threat of sanctions, including fines, audits and regulatory intervention. So the right to be forgotten is everyone’s business.
How to prepare for the right to be forgotten
Pay particular attention to the following:
Make it easier to respond to requests
The GDPR encourages the use of “self-service” data hubs, whereby data subjects can access their own data conveniently and securely. If it’s practical, this might include a mechanism for customers to request data erasure. From your point of view, this approach could make it a lot easier to identify, manage and respond to such requests.
Build a company-wide culture of compliance
Would your customer services staff know a data erasure request if it hit their inbox? How about your social media team? Being compliant demands the ability to respond to such requests in a timely manner – so make sure that staff right through your organisation are aware of their compliance responsibilities.
Have the right tools in place
The Privacy Compliance Hub can provide precisely the framework you need for hardwiring compliance into your organisation, from identifying actionable data rights requests – through to responding to them in the right way.
For advice on all key areas of the GDPR, check out our resources section. For a closer look at how the Hub can help, ask for a free demo today.