GDPR: 34% Planning to Exercise Right to be Forgotten

Research by media agency the7stars has found widespread interest in the new ‘right to be forgotten’ provision of the General Data Protection Regulation (GDPR). More than a third of respondents (34%) say they will exercise this right. With GDPR coming into force in May, this news may cause alarm among businesses who may not have any established processes for handling deletion requests from individuals.

But what exactly is the right to be forgotten, and how might this impact organisations in the UK?

The right to erasure

This provision exists so that people have the right to object to organisations holding their personal data. In simple terms, if you wanted your favourite supermarket to stop sending you emails, you have the right to request that they delete your email address and any other personal information they may hold.

There are exceptions to this right – so if an organisation has a need or a compelling reason to retain your data, then your request can be denied.

When the right to erasure applies

As an individual, you can usually request the deletion of your data when:

Your personal data is no longer required for the purpose it was collected for
You withdraw consent
You object to having your data processed (assuming there is no overriding legitimate reason for processing)
Your data was unlawfully processed
Your data must be erased to comply with a legal obligation.

When organisations can decline requests

There are a number of occasions when organisations can refuse to comply with deletion requests. If your organisation has a valid reason for retaining personal information, you may be protected under one of these provisions.

Legitimate reasons for refusing to comply:

To protect the public interest, or in the interest of public health
To exercise your right of freedom of expression
Archiving for public interest, historical, scientific or statistical purposes
Exercising or defending legal claims
To comply with a legal obligation, exercising official authority or to perform a public interest task.

Deleting third-party data

While it might be relatively easy to delete the data you hold on a particular person, GDPR also requires that you notify any other organisations that you have shared the data with. This might include marketing partners, data processors and other suppliers.

The challenges of complying with this part of the legislation may encourage organisations to reassess how personal data is managed and shared. Organisations may find it preferable to limit the spread of data so that it can be more easily identified – and deleted when required.

GDPR training from VinciWorks

If your organisation needs help getting ready for GDPR, our suite of eLearning programmes can help. Because our training is online, it can be delivered efficiently, at any time. As part of our GDPR eLearning offering, we have both comprehensive and short-courses available. These cover topics including: Protecting Data, Preparing for GDPR, Privacy Impact Assessments, Accountability and The Right to be Forgotten.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”