The right to erasure is a new policy introduced by the GDPR. It allows all individuals to ask organizations to remove their data. And so, the companies have to take measures to approve their data erasure request as soon as possible.
In some cases, the request is exempted or refused. Let’s have a closer look at what is the right to erasure and how to handle it properly!
What is the Right to Erasure?
The right to erasure was issued under Article 17 of the GDPR (UK). It gives people the right to ask for the complete removal of their data from an organization’s database. However, this right is not absolute.
It means that data erasure requests will only be approved in certain circumstances. Here are the conditions when the right applies:
- Their personal data has become unnecessary and useless to your organization.
- They wish to withdraw the consent that they gave initially.
- The data was handled for your legitimate interests. They object to it, and you’ve no other important interest to keep it.
- The information was directly given for marketing purposes, and now they want it removed.
- A child’s data is being processed to offer information services.
- The data is handled unlawfully.
All that said, the right only applies to the current data held. It won’t apply to any data created in the future. Any organization that receives the request in writing or verbally must respond to it within one month.
5 Tips to Handle the Right to Erasure
Handling the right to erasure can be difficult. There’s so much information that needs to be identified, collected, and removed. Read on to learn some handling tips!
Educate Your Employees
The first and foremost thing every company must do is spread awareness about this right amongst their staff. A customer may ask anyone to remove their request. It will be considered valid.
So, all current employees must know what the request means, when it’s applicable, and how to process it.
Create an Action Plan
The right to erasure is a new policy, which means many organizations still don’t have a plan ready to deal with it. What will your company do if someone asks for data erasure tomorrow?
It’s important for the management to discuss and agree on an action plan. The system should be updated with features that allow one to quickly identify a person’s information and erase it.
Also, a special unit can be set up within the data handling department to deal with these requests.
Inform All Relevant Authorities
Several companies disclose the information to other linked parties and third-party sites. When these companies receive a data erasure request, it becomes their responsibility to inform all others.
It’s not necessary to ensure the removal. But, a system should be ready to identify who else holds the person’s data and ask them to remove it.
In cases where the data is made public, the company will be expected to take measures within its capacity. Ideally, all links and copies of the information must get deleted.
Know Who’s Exempted
We’ve already discussed the conditions of when the right to erasure applies. However, since this is not an absolute right, exemptions can be made in several situations.
The ICO (Information Commissioner’s Office) has compiled a detailed guide on these exemptions. You can use it to create a checklist. This will help make the request approval process faster and easier.
Maintain a Record
Lastly, it’s highly important to keep a record of the fulfilled data removal requests. How else will you prove that someone’s data was once held and then deleted?
But, you need to be a bit clever here. Your record should include the bare minimum of information and be kept safely. It’s best to use pseudonyms or some other protection method.