GDPR and the Right to be Forgotten: What it Means
If you’re feeling overwhelmed by the General Data Protection Regulation (GDPR) and what it could mean for your business, we don’t blame you. There’s a lot to cover.
Our GDPR series is sure to help.
In the meantime, let’s take a closer look at GDPR and the right to be forgotten.Experts are saying that it could be one of the more complex sections of the legislation, so it’s important to understand exactly what it entails.
We’ll start with its definition.
The Information Commissioner’s Office (ICO) defines it as:
“The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable an individual the deletion or removal of personal data where there is no compelling reason for its continued processing.”
This refers to the ruling that EU residents will be able to request outdated or irrelevant personal information be removed from search engines immediately.
When does the ‘right to be forgotten’ (RTBF) apply?
- When the personal data being held is no longer relevant to the purpose it was originally processed by
- When the individual withdraws consent
- When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing
- The personal data was processed unlawfully and in violation of the GDPR
- The personal data has to be erased in order to comply with a legal obligation
- The personal data is processed in relation to the offer of information society services to a child
Can you refuse to comply with a RTBF request?
Yes, but only when the personal data has been processed for the following reasons:
- When it has been used to exercise the right of freedom of expression and information
- To comply with a legal obligation or for the performance of a public interest task or exercise of official authority
- For public health purposes in the public interest
- For archiving purposes in the public interest, scientific research, historical research or statistical purposes
- The exercise or defence of legal claims
Before long (25 May 2018 to be exact), the RTBF will apply to companies too. Here’s an example: if someone asks a company to remove information about themselves from records, online or offline, the company must then find and remove all information pertaining to that individual.
The kinds of information we’re talking about is that which personally identifies someone. Names, phone numbers, bank details, and so on.
The task of removing vast stores of data is a big task for many companies, and a huge administrative burden. But, it must be done.
1. Understand the regulation (and don’t forget the small print)
As we said, there’s a lot to GDPR so we’d recommend a full, comprehensive awareness of it. Leave no stone unturned in your perusal of the legislation.
You want to informed as to how the law has changed from its predecessor, and how it applies to your organisation.
Also, you should think about how it relates to other regulations your organisation may or may not be subject to. Look at risk management and assess your IT systems to make sure everything is up to scratch.
Ultimately, review how compliant you are, and what you need to change.
2. Conduct an information discovery audit
Look into every area of your organisation and seek out the information you need to delete. An information discovery audit helps you understand what kinds of data you hold and where it can be found.
It’s likely that you will hold personal information about employees, suppliers and customers. Maybe the information can be found in more obvious places like CRM databases, or it might be hidden elsewhere.
Think about information generated from reports or staff databases. Are your organisation’s staff unknowingly holding information on their computers or laptops?
Don’t forget file servers and the cloud, too. There are countless scanning tools you can use to locate information on servers, so look into them.
Do you have to inform other organisations about the erasure of personal information?
Yes, but only if you have divulged the personal information to third parties. You must tell the third party about the erasure of the information.
One of the central tenets of GDPR legislation is that it reinforces the RTBF by clarifying that organisations in the online environment who make personal data public should inform other organisations who processed that data to also remove all links to, copies of, or replication of the data in question.
Hopefully, it’s less complicated now. The RTBF is huge for the ethical management and processing of personal data, and marks a great step toward greater rights for individuals in the digitalised world.
If you would like to learn more about GDPR overall, have a read of our blog about how the new legislation will impact your business.
Here’s to compliance!