The General Data Protection Regulation (GDPR) is designed to give individuals better control over their personal data. As part of this, and in certain situations, the new law empowers data subjects to ask for their data to be erased, otherwise known as the “right to be forgotten”.
Your organisation needs to get to grips with how and when the new rules on erasure apply. You also need to make sure that you’re equipped to respond to valid data erasure requests as and when you get them.
So does your business have what it takes to deal with the so-called “right to be forgotten”? The Hub is on hand to help you get it right…
What is the right to be forgotten?
It states that if certain specified conditions are met, individuals have the right to request that their “personal data” that you control – be deleted.
If you’ve received a valid data erasure request, you must respond to it “without due delay”, and within no later than a month of the request. This period can be extended in limited circumstances – e.g. where it’s a complicated request involving large quantities of data.
Here are the situations where the right to be forgotten applies:
- Where possession of the data is no longer needed. You must only collect data in relation to clearly defined purposes. If it’s no longer required for the specified purpose, the data subject can request erasure.
- Where the data subject withdraws their consent, or objects to the data processing and where there is no good reason to continue with the processing. This could include situations where customers cancel their contracts with you.
- Where the data shouldn’t have been processed in the first place. For instance, it turns out that you’re holding a customer’s data without their consent or any other legal basis.
- To comply with a legal obligation.
- The data relates to the offer of “information society services” to a child. An example of this could be where a child opens an account for a streaming service without parental consent.