The GDPR will come into effect in just a few days’ time and give EU citizens much more control over how their data is stored and processed.
The GDPR will dramatically change the rights of the data subject, and under article 17 of the GDPR, individuals have the right to have their personal data erased, otherwise known as ‘the right to be forgotten’.
This clause allows individuals to request that any records held on them by a business are permanently deleted if there is no legitimate reason for the business to continue processing this information.
Organisations must act upon the request within a month of it being lodged.
The right to be forgotten applies when:
- The personal data is no longer necessary for the purpose it was originally collected for
- The individual specifically withdraws consent to processing and there is no other legal basis for processing this information
- The individual uses their right to object to the data processing
- Personal data has been unlawfully processed
- The data must be erased to comply with legal obligations
- The individual was a child at the time of data collection
There are, however, a number of exceptions where data may not have to be erased if any of the following apply:
- The right of freedom and expression
- The need to comply with a legal obligation
- Reasons of public interest or in the exercise of a public authority
- Historical, Scientific research or public interest archiving purposes
- If the data supports legal claims
- If the processing is necessary for public health purposes
When an EU citizen requests the right to be forgotten, a data controller must delete all the personal data that it holds on that individual. However, this is by no means a straightforward process. An individual’s information might be spread across several different departments within an organisation and the back-up of this data could be located on another system altogether.
The deletion of data can be a difficult and time-consuming process if organisations do not have the proper systems in place to effectively locate and manage this information.
To deal with these requests effectively, businesses will need to complete a thorough audit of their systems to make sure that data can easily be located and deleted.
Organisations will need to determine what data they have, where it is stored, and how it is processed in order to comply with the GDPR’s requirements. It will be equally important to dispose of any outdated and unnecessary data whilst safeguarding critical information that is still needed.
The right to be forgotten is complex and has a lot of exceptions and limitations. However, if businesses have the right processes in place they will be able to comply with the legislation and ensure they can effectively exercise an individual’s right to be forgotten.
If you would like more information on how your organisation can improve its approach to GDPR compliance, click here, to find out how MetaCompliance can help.
DISCLAIMER: The content and opinions within this blog are for information purposes only. They are not intended to constitute legal or other professional advice, and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances, the Data Protection Act, or any other current or future legislation. MetaCompliance shall accept no responsibility for any errors, omissions or misleading statements, or for any loss which may arise from reliance on materials contained within this blog.