In this multipart guide, we will be assessing your rights and obligations in the rapidly approaching GDPR, equipping you with the knowledge to stay secure once the new regulation comes into play.
What is the right to erasure?
The right to be forgotten is the name used for the GDPR’s right to erasure. This refers to the ability of an individual to request the deletion of personal data where there is no reasonable need for the data to be held or processed any more. Under this legislation, individuals have the right to have personal data erased and prevent further processing under the following circumstances:
Where the personal data held is no longer needed for the purpose for which it was originally collected
(or) When the individual withdraws consent or objects to the processing and there is no overriding legitimate interest
(or) If the data was unlawfully obtained or processed or otherwise in breach of the GDPR
(or) If the personal data is required to be erased to comply with a legal obligation
(or) If the personal data is processed in relation to the offer of information society services to a child
It is worth noting however, that under the GDPR, the right to erasure is not limited to processing that causes unwarranted and substantial damage or distress, but if the processing does result in distress or damage, the case for erasure is strengthened.
Can I refuse an erasure request?
There are a number of circumstances under which you can refuse an erasure request. These include freedom of expression and information, compliance with a legal obligation for the performance of a task in the public interest or exercise of official authority, for purposes of interest for public health, scientific or historical research or statistical purposes for archiving in the public interest, or the exercise or defence of legal claims.
Protecting the rights of children
Under the GDPR, there are additional requirements to be met when the erasure request submitted is in relation to the personal data of a child, where the GDPR highlights the importance of protecting such information, especially in online environments.
If your business is involved in the processing of personal data for children under the age of 18, you should pay special attention to existing situations where a child has given consent to processing before later requesting erasure, especially on social networking sites and internet forums.
This is due to the fact that a child might not have been fully aware of the risks associated with submitting their data for processing, and should not take into account the age of the person at the time of the erasure request, but the age of the contact when the data was submitted. So, if the individual whom the data concerns was under the age of 18 at the time of submitting their personal information, extra care should be given to complete the erasure request, regardless of when the request is received.
Updating third parties about data erasure
If the data in question has been disclosed to a third party, you must inform them of the erasure of personal data. The only reasons for not completing this update are if it is impossible to do so, or if updating third parties would involve effort disproportionate to the request.
The GDPR enforces the right to erasure by clarifying that organisations in the online environment who make personal data publicly available are required to inform information organisations who also process the data in question to erase links to, copies of and replication of this data. This should be completed regardless of the complication of this procedure. Where this proves especially challenging, for example on social networking sites and forums, you are required to comply to the best of your ability.
To find out more about GDPR compliance within your business and best practise for data processing, give MarketDeveloper a call today on +44 1784 432 082.