Research by media agency the7stars has found widespread interest in the new 'right to be forgotten' provision of the General Data Protection Regulation (GDPR). More than a third of respondents (34%) say they will exercise this right. With GDPR coming into force in May, this news may cause alarm among businesses who may not have any established processes for handling deletion requests from individuals.
But what exactly is the right to be forgotten, and how might this impact organisations in the UK?
The right to erasure
This provision exists so that people have the right to object to organisations holding their personal data. In simple terms, if you wanted your favourite supermarket to stop sending you emails, you have the right to request that they delete your email address and any other personal information they may hold.
There are exceptions to this right – so if an organisation has a need or a compelling reason to retain your data, then your request can be denied.
When the right to erasure applies
As an individual, you can usually request the deletion of your data when:
- Your personal data is no longer required for the purpose it was collected for
- You withdraw consent
- You object to having your data processed (assuming there is no overriding legitimate reason for processing)
- Your data was unlawfully processed
- Your data must be erased to comply with a legal obligation.
When organisations can decline requests
There are a number of occasions when organisations can refuse to comply with deletion requests. If your organisation has a valid reason for retaining personal information, you may be protected under one of these provisions.
Legitimate reasons for refusing to comply:
- To protect the public interest, or in the interest of public health
- To exercise your right of freedom of expression
- Archiving for public interest, historical, scientific or statistical purposes
- Exercising or defending legal claims
- To comply with a legal obligation, exercising official authority or to perform a public interest task.
Deleting third-party data
While it might be relatively easy to delete the data you hold on a particular person, GDPR also requires that you notify any other organisations that you have shared the data with. This might include marketing partners, data processors and other suppliers.
The challenges of complying with this part of the legislation may encourage organisations to reassess how personal data is managed and shared. Organisations may find it preferable to limit the spread of data so that it can be more easily identified – and deleted when required.
GDPR training from DeltaNet
If your organisation needs help getting ready for GDPR, our suite of eLearning programmes can help. Because our training is online, it can be delivered efficiently, at any time. As part of our GDPR eLearning offering, we have both comprehensive and short-courses available. These cover topics including: Protecting Data, Preparing for GDPR, Privacy Impact Assessments, Accountability and The Right to be Forgotten.