Right to Erasure and how to handle it

Summary:

The Right to Be Forgotten is one of the fundamental rights defined in GDPR.  Also known as a Right to Erasure this principle defined in Article 17. It is vital that companies recognize these requests and understand how to deal with them.

Most importantly the Right to Erasure is not an absolute right and companies are allowed to retain certain information where this is required to protect themselves from legal action or to allow them to operate their business.

If you receive an RTE please feel free to contact us – we are always happy to help.  You can find more info from the ico here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/

For more background please keep reading…..

RTE – Not an Absolute Right!

One of the highest-profile form of data privacy protection problem is the “Right to Erasure” or, as we most know “The Right to Be Forgotten”. The idea of having the power to compel a company to erase all traces of data from their system is a nightmare – if you look from an organization side. Engaging these requests accurately it requires a well-designed, robust but also a persceptive methods that needs to be followed.

In the General Data Protection Regulation (GDPR), the right to be erased a.k.a. the right to be forgotten, proves to be the hardest data subject right and even the second most difficult GDPR obligation in practice.

What you should know about the Right to Erasure and how to handle it!

Do you remember what Martin Luther King Jr. used to say, “a right delayed is a right denied”?  We are going to use this sentence in a different context today. These days, in this modern GDPR era, the data subjects have more rights about their data than ever, following legal frameworks that set guidelines on how to practice those rights. The data subjects can call upon the right to erasure or access at any time, about any data you have on them, counting the fines, the words “delay” or “denied” doesn’t sound very nice, does it?

Imagine dozens of data subject, sending you requests all day, every day and calling upon their rights. There will be turmoil inside your system. Not mentioning the huge fines that are following if you fail to provide what they need regarding their personal data.

So, what should you know about the notorious Right to Erasure?

According to Article 17 of the GDPR, every natural person that demands an erasure of personal data, the company is obliged to provide the service without undue delay. The Right to Erasure, or as we most know – the right to be forgotten, not always have the absolute power. In fact, according to Article 17, the Right to Erasure only applies under the following condition:

• The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

• The data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;

• The data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
• The personal data have been unlawfully processed;
• The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
• The personal data have been collected in relation to the offer of information society services referred to in Article 8(1);

As stated above, the GDPR has a few exceptions around the right to erasure that give businesses a way to handle this nightmare easier. According to Article 17, it is important to note that companies do not have to comply with an individual’s right to be forgotten under the following conditions, the companies do not have to comply with an individual’s rights, such as:

• For exercising the right of freedom of expression and information;
• For compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• For reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);

• For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
• For the establishment, exercise, or defence of legal claims.

So, now you know what has been written in the Article 17 from the GDPR, should you be worried? Of course, you should, there is plenty you need to know about the Right to Erasure, but is there a way to handle it? Of course, there is!

To become a fully GDPR compliant organization is an intimidating task, what you need is a proactive game plan and be fully aware that it might not be enough, so you need to keep some backup plan in your sleeves. 

A great starting point is conducting an accurate and thorough, companywide data audit from both legal and technological standpoints to cover all bases.

Firstly, it is important you do a review of your methods of collecting personal data and your data processing systems so you can be sure you are a fully GDPR compliant organization. Also, you need to determine what data will you be collecting, why do you have it, how are you going to use and for what purposes. It’s equally important to think about how outdated and irrelevant data will be disposed of, and how to safeguard the critical information that is still needed. Do not forget to ask for the minimum amount of information necessary to confirm identity.

Most of the customers think that deleting their data is a simple step, they think that deleting the data is just a click away. Well, it’s not that easy as it looks like.

The systems, applications and database that are processing personal data should enable the organization to easily locate and delete data. It can be difficult sometimes, especially if it’s held on different systems or other platforms. Sometimes you might hold data on the cloud, you must know that all must be deleted. 

Like it’s mentioned above, a request must be actioned without undue delay, that means that you don’t have long to comply with the erasure. If the request is particularly complex, you might be able to extend it by two months. Before the extend, you must inform the individual before the first month is up, by giving a clear reason for the delay. Also, you might want to be prepared for a visit by the regulator if an extend happens because not every individual has an understanding.

It’s important to have the children in mind, they have special protection under the GDPR. The Right to Erasure is particularly relevant and crucial especially if it’s available on the internet.

The crucial point for a company to be compliant is having a full set of policies and procedures which are constructed to protect all the information it processes, no matter what sector your company operates in or the size of your business, it is essential. If you company breaks any of the data protection laws, it will potentially face an investigation from your supervisory authority, which could also hand out punishment ranging from hefty fines to enforcement notices. Because of these reasons an organization must ensure compliance with a formalised set of data protection policies and procedures.