The General Data Protection Regulation (GDPR) gives individuals the right to ask for their data to be deleted and organisations do have an obligation to do so, except in the following cases:
- the personal data your company/organisation holds is needed to exercise the right of freedom of expression;
- there is a legal obligation to keep that data;
- for reasons of public interest (for example public health, scientific, statistical or historical research purposes).
If a company/organisation processed data unlawfully it must delete it. In the case of an individual, data collected when they were still a minor must be deleted.
Organisations are expected to take reasonable steps (for example technical measures) when it comes to the right to be forgotten online, to inform other websites that a particular individual has requested the erasure of their personal data.
Data can also be kept if it has undergone an appropriate process of anonymisation.
Within the GDPR, Subject Access Requests (SARs) entitle individuals to the right to find out what personal data is held about them by an organisation, why the organisation is holding it and who their information is disclosed to by that organisation.
According to the ICO’s own official statistics, mishandling of SARs is the number one data protection issue complained about by the public. In 2016, 42% of the more than 18,000 data protection-related complaints lodged with the ICO concerned individuals’ rights to access their personal data held by organisations.
The Information Commissioner’s Office (ICO) advises:
- Individuals have the right to access their personal data.
- This is commonly referred to as subject access.
- Individuals can make a subject access request verbally or in writing
- You have one month to respond to a request.
- You cannot charge a fee to deal with a request in most circumstances.
People search engines, including MyLife, Spokeo, Instant Checkmate and PeopleSmart collect huge amounts of personal information and package it into profiles to be sold. The customers of such websites, which charge relatively low fees for access to profiles, are largely curious individuals, businesses doing background checks and law enforcement agencies.
The Financial Times has reported how it took one woman three months of emailing and calling to remove her personal details from people search engine MyLife.
Karen Irwin had tried to limit access to an online profile that included her address and phone number, but the website required a fee to control the information.
After unsuccessfully trying to remove the data for free by emailing the company, Ms Irwin finally succeeded in having the data removed after speaking to their customer services department.
She told the paper: “I refuse to pay to control my information,”
She also remarked how she had discovered details of her friends’ relatives and net worth for free – simply by knowing what town they lived in.
Profiles available can include addresses, spouses and photos, all of which are gathered from public records, such as divorce proceedings and bankruptcies, social media profiles and paid-for databases. Information can also be collected from user profiles on dating sites. There is no doubt that the quantity of data on these sites is on the increase.
Dr Lucy Wright wrote in Occupational Health & Wellbeing magazine recently how how her occupational health firm, Optima Health, dealt with the introduction of GDPR.
She said: “We revised our subject access request (SAR) process, which is when people want to see their records. Even before last May we were down to the one month that it is now, rather than the 40 days that it was pre-GDPR. A very useful phrase that, “one month”. How long is a month? Do they mean a calendar month or even 28 days? We work to 28 days because it is safer because of February, so all the time we are slightly under-hitting”.