One of the new policies brought about by the GDPR is the right to erasure. It allows all individuals to ask organizations to remove their data.
And so, the companies have to take measures to approve their data erasure request as soon as possible.
In some cases, the request is exempted or refused. Let’s take a closer look at what the right to be forgotten is and how to handle it properly!
What is the Right to Erasure?
The right to erasure was issued under Article 17 of the GDPR (UK).
It gives people the right to ask for the complete removal of their data from an organization’s database. However, this right is not absolute.
It means that data erasure requests will only be approved in certain circumstances. Here are the conditions under which the right applies:
- Their personal data has become unnecessary or useless to your organization.
- They wish to withdraw the consent that they gave initially.
- The data was handled for your legitimate interests. They object to it, and you’ve got no other important interest in keeping it.
- The information was directly given for marketing purposes, and now they want it removed.
- A child’s data is being processed to offer information services.
- The data is handled unlawfully.
All that said, the right only applies to the current data held. It won’t apply to any data created in the future.
Any organization that receives the request in writing or verbally must respond to it within one month.
5 Tips to Handle the Right to Erasure
Handling the right to erasure can be difficult. There’s so much information that needs to be identified, collected, and removed. Read on to learn some handling tips!
Educate Your Employees
The first and foremost thing every company must do is spread awareness about this right amongst their staff. A customer may ask anyone to remove their request. It will be considered valid.
So, all current employees must know what the request means, when it’s applicable, and how to process it.
Create an Action Plan
The right to be forgotten is a new policy, which means many organizations still don’t have a plan ready to deal with it. What will your company do if someone asks for data deletion tomorrow?
The management needs to discuss and agree on an action plan. The system should be updated with features that allow one to quickly identify a person’s information and erase it.
Also, a special unit can be set up within the data handling department to deal with these requests.
Inform All Relevant Authorities
Several companies disclose the information to other linked parties and third-party sites. When these companies receive a data deletion request, it becomes their responsibility to inform all others.
It’s not necessary to ensure the removal. Yet, a system should be ready to identify who else holds the person’s data and ask them to remove it.
In cases where the data is made public, the company will be expected to take measures within its capacity. Ideally, all links and copies of the information must be deleted.
DID YOU KNOW? Google and Bing received over 1.7 million “right to be forgotten” and “right to erasure” requests between 2015 and 2023.
Know Who’s Exempted
We’ve already discussed the conditions under which the right to erase is applicable. However, since this is not an absolute right, exemptions can be made in several situations.
The ICO (Information Commissioner’s Office) has compiled a detailed guide on these exemptions. You can use it to create a checklist. This will help make the request approval process faster and easier.
Maintain a Record
Lastly, it’s highly important to keep a record of the fulfilled data removal requests. How else will you prove that someone’s data was once held and then deleted?
But you need to be a bit clever here. Your record should include the bare minimum of information and be kept safely. It’s best to use pseudonyms or some other protection method.
Frequently Asked Questions
Ans: The General Data Protection Regulation (GDPR) of the European Union regulates the processing and transfer of personal data of individuals within the EU.
Ans: GDPR applies to all companies and organizations that handle personal data in the UK and the EU, as well as to any organization that uses data that was gathered in one of the participating states.
Ans: Another name for the right to erasure is “the right to be forgotten.” The right is limited and only applies in specific situations. People have the option to request deletion verbally or in writing.