In the run up to the General Data Protection Regulation coming into force, a lot of time and resources were invested in securing opt-in consent from hundreds of thousands of individuals across Europe. Behind the scenes, these same businesses were strengthening defences to better protect the personal data they had been entrusted with.
These efforts are ongoing, but most are focused on capturing and storing data. But in doing so, many firms appear to be ignoring another crucial aspect of the GDPR framework – the so-called “right to be forgotten”.
What does the GDPR say about the “Right to be Forgotten”?
Way down in Article 17, the GDPR outlines the “right to be forgotten” stating;
“The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay.”
The Article goes on to outline three things your data retention strategy needs to address:
- You must “forget” data once it has served its purpose
Every individual has the right to have any personal data that your business stores erased once it has served its purpose. Under GDPR, collecting, storing and processing personal data is only legal where specific use cases have been agreed by the individual; once those use cases have been exhausted, the data must be erased.
Importantly, the individual does not have to request the data be deleted under these circumstances. It is down to your business and internal data management processes to monitor compliant use, and to erase non-compliant data immediately.
- An individual can withdraw consent at any time
The GDPR has been designed to give individuals complete control of their personal data, regardless of which company or organisation is storing it. And because they retain full rights to their own information, they can withdraw consent at any time.
According to the right to be forgotten, this withdrawal of consent is much more specific than simply removing them from your marketing email list. When consent is rescinded, your business is duty-bound to erase all of their personal data. There are a few derogations specified however in the European Council’s explanatory text (paragraph 65);
“However, the further retention of the personal data should be lawful where it is necessary, for exercising the right of freedom of expression and information, for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims.”
You may need to consult with a GDPR specialist to assess whether any right to be forgotten request you receive meets these conditions.
- Non-compliant data must be erased immediately
In exceptional circumstances it may be that your organisation collects some personal information to which it is not entitled. You must not conduct any additional processing using this data. Instead it must be deleted as soon as the error is detected.
The right to be forgotten doesn’t end there
A right to be forgotten request must be actioned within “a reasonable period of time”. The GDPR does not specify exactly how long that period is, but are advising businesses to comply within 30 days.
But some businesses – particularly those that syndicate content – have an additional obligation outlined in paragraph 66;
“The right to erasure should also be extended in such a way that a controller who has made the personal data public should be obliged to inform the controllers which are processing such personal data to erase any links to, or copies or replications of those personal data. In doing so, that controller should take reasonable steps, taking into account available technology and the means available to the controller, including technical measures, to inform the controllers which are processing the personal data of the data subject’s request.”
Essentially, every right to be forgotten request needs to be passed on to any other party that may have republished or shared information you hold. These third parties are classified as “data processors” under GDPR, and you must ensure they execute your request to erase data.
You will not be expected to track down unrelated third parties that have re-shared publicly-available information however. The individual will need to lodge another right to be forgotten request with the third party.
Are your erasure routines sufficient?
When a right to be forgotten request is received, your first instinct will be to delete the “visible” records you hold. This is the easily-accessed information like contact records in the CRM system and personal data added to service calls.
The problem is that these records are just the tip of the iceberg. There will be emails sent by the subject sitting in the email inboxes belonging to your sales team for instance. And retailers may have collected personally identifiable information as part of their loyalty program. All of this information will also need to erased if requested by the individual.
But there is one more factor that needs to be considered – your backups.
When your data retention provisions create a legal nightmare
The biggest – and most often overlooked – factor in data deletion requests are your backup systems. These failover systems are specifically designed to prevent data loss, usually by creating multiple copies of your information that can then be copied back in the event of a data loss event.
But this also means that your business has multiple copies of the individual’s data located in various different places – on clustered servers, backup tapes and in Cloud archiving platforms among others. And every data deletion request also applies to these secondary copies. Every shred of personal information must be deleted completely, regardless of where it is located.
Given an infinite amount of time, fulfilling right to be forgotten requests would be relatively straightforward – albeit rather slow. Unfortunately, the GDPR makes no additional provisions despite the complexity of searching for and deleting data from backup media.
Time to get your house in order
Many privacy-minded consumers are already using cookie opt out mechanisms, e.g. ad-blockers, to prevent website tracking for instance – and they are certain to approach companies they don’t “like” to request that their personal data is deleted. So it is inevitable that your business will begin to receive right to be forgotten requests in the near future.
Your data protection officer and IT manager will need to define the processes and protocols for actioning these requests and ensuring that personal data is completely removed from your system – including backups. You will also need to create an audit report that outlines the data that has been deleted, proving that you have fulfilled your obligations should the Information Commissioner’s Office receive a complaint.
For some, this will be the first time that they have ever had to consider re-engineering systems which were designed to never lose anything.
Your action plan
- Identify the personal data being held by your business.
- Identify where this data is being stored, including backups (Consentric can help with this).
- Define a procedure for receiving and actioning right to be forgotten requests.
- Set up a reporting mechanism for passing right to be forgotten requests to your data processors and third parties.
- Create an auditing mechanism to record the type of information being deleted.
To help speed up the right to be forgotten compliance planning process – and to learn more about how technologies like the Consentric Platform can help streamline identification and deletion routines – please get in touch.