The implementation of the General Data Protection Regulations (GDPR) means that organizations must protect the personal data of EU citizens and covers any data that could feasibly be used to identify an individual. This can include medical records, genetic information or economic information.
The Right to be Forgotten, also known as right to erasure, is the concept that individuals have the civil right to request that personal information be removed from a company’s database and the internet, whatever their reasons for requesting so.
People can ask for their personal data to be deleted when, for example, the data the company holds on them is no longer needed or when their data has been used unlawfully.
Personal data provided when they were a child can be deleted at any time.
Businesses must now act as soon as someone requests their data is removed, leaving no trace it ever existed. If this is not done, there could be heavy fines imposed.
Article 17, of the GDPR legislation considers the right to be forgotten in the context of organisations collecting and processing people’s personal data. It retains the 1995 Directive’s intent to allow people to request their data is deleted when it’s no longer relevant but expands this right to give people more control over who can access and use their personal data.
Under GDPR then, an EU citizen has the right to demand an organisation erases their personal data if:
- the data is no longer relevant to the reason it was collected;
- if the person withdraws their consent for their data to be used (and if the organisation has no other legal basis for collecting it);
- if the person objects to their data being collected for marketing purposes or where their rights override legitimate interests in collecting data (for instance, where that is sensitive data concerning a child);
- if the data was unlawfully processed;
- if the data’s erasure is necessary to comply with a legal obligation;
- if the data belongs to a child and was exchanged for “information society services”.
In all these cases, the organisation must delete the data “without undue delay” – i.e. as soon as possible. If the organisation has made the data public, they must take “reasonable steps, including technical measures” to inform any other organisation processing that data that the citizen has asked for it to be removed.
However, organisations don’t have to honour these requests if they’re complying with legal obligations, exercising their right to freedom of expression or the right to freedom of information, if the data is in the public interest or to establish, exercise or defend legal claims.
The ‘right to be forgotten’ was implemented in the interest of protecting consumers and keeping online organizations from wielding too much power over the public.
A 2014 BBC story, for instance, detailed the case of a man in Spain who auctioned off a property during a personal financial crisis. Years later, with his finances in much better shape, details of the auction still showed up prominently when he searched for his name on Google.
The European Union agreed with his claim that this material was no longer relevant and was potentially damaging to his reputation. This case and others like it set in motion what would eventually become the GDPR’s ‘right to be forgotten’.
Since that ruling, Google alone has received requests to remove nearly 2.5 million URLs from its search results.
The best way to make sure you respect your customers right to be forgotten is to know exactly what data you’re storing and how you will delete it upon request or after it’s no longer needed.
Any organization that collects consumer information should plan on performing regular data audits, including creating a registry of all personally identifiable information collected and processed in the EU and the planned lifecycle of that data.
he GDPR specifies two circumstances where you should tell other organisations about the erasure of personal data:
- the personal data has been disclosed to others; or
- the personal data has been made public in an online environment (for example on social networks, forums or websites).
If you have disclosed the personal data to others, you must contact each recipient and inform them of the erasure, unless this proves impossible or involves disproportionate effort. If asked to, you must also inform the individuals about these recipients.
If a valid erasure request is received and no exemption applies, then you will have to take steps to ensure erasure from backup systems as well as live systems. Those steps will depend on your circumstances, your retention schedule (particularly in the context of its backups), and the technical mechanisms that are available to you.