The European Union’s General Data Protection Regulation (GDPR) affects all individuals and businesses in the UK and EU. Despite the UK’s withdrawal from the EU, GDPR was written into UK law during the transition period, and remains an important privacy mandate.
Put simply, if a company collects personal data about its customers, clients or prospects, then it must comply with the GDPR which stipulates how that personal data is collected and used. An important principle within GDPR, that is worth understanding in terms of personal security and peace of mind, is the Right to Erasure, otherwise known as the ‘Right to be Forgotten’.
The ‘Right to Erasure’ explained
The ‘Right to Erasure’ gives individuals the right to request the erasure of their personal data held by data controllers. According to Article 17, a company is obligated to erase an individual’s personal data without delay. However, this is not an absolute right. Under the GDPR, individuals have the right to request their personal data is erased in the following circumstances:
- Personal data is no longer necessary for the purposes for which it was originally collected or otherwise processed.
- The individual withdraws their consent to the processing of their personal data, and there is no other legal basis for processing the data (which is outlined in GDPR Article 6).
- The individual objects to the processing of their personal data, and there are no overriding legitimate grounds for the processing, or if the individual objects to the processing for the purposes of direct marketing (outlined in GDPR Article 21).
- Personal data has been unlawfully processed.
- Personal data has to be erased for compliance with a legal obligation to which the company is subject, in EU or Member State law.
In addition, data controllers must erase personal data if it relates to a child and was collected in relation to the offer of information society services, subject to certain conditions.
While GDPR is often applauded for prioritising individual rights, there are some exceptions to the Right to Erasure which gives businesses some additional flexibility. Companies do not have to comply with an individual’s request under these conditions:
- The company is exercising its right to freedom of information and expression.
- The company is legally obligated to retain the individual’s personal data, for compliance reasons.
- The company needs the data to complete a task that is a matter of public interest.
- The data itself is relevant to the interests of public health.
- The company is archiving an individual’s data for statistical, scientific, or historical reasons.
- The data is needed for the establishment, exercise, or defence of legal claims.
The Right to Erasure may also be restricted if it would adversely affect the rights and freedoms of others, or if it would be impossible or involve a disproportionate effort.
What if a company receives a Right to Erasure request?
As said above the Right to Erasure is not absolute and only applies in certain circumstances. Individuals may request that their data be erased in writing or verbally.
Companies must have processes in place to enable them to identify and respond to requests for erasure and must be able to demonstrate that they are complying with GDPR. Failure to comply with GDPR can result in significant fines and damage to reputation. If a valid erasure request is received - and no exemption applies - then companies must explicitly state what will happen to the individual’s data, including in respect of backup systems and whether that data has been shared with other parties. If the erasure request is legitimate and accepted, companies must tell other organisations about the erasure of any personal data that has been disclosed or made public.
Companies must respond to requests for erasure within one month of receipt, although this can be extended by two further months where necessary, taking into account the complexity and number of requests. If a company refuses to comply with a request for erasure, it must inform the individual of the reasons for the refusal, and of their right to make a complaint to the supervisory authority and to seek a judicial remedy.
If an exemption applies, companies can refuse to comply with requests, partially or entirely. Not all exemptions apply in the same way, and companies should examine each case carefully to determine its credence. Fundamentally, however, companies need to be aware of the fact that the GDPR does not specifically state how to make a valid request for erasure. Individuals can either make the request verbally or in writing, to any contact in an organisation. If any of the conditions for erasure apply, companies must recognise that.
If a verbal request is received, you must ensure that employees who take those requests are communicating it to the relevant teams or departments to handle it accordingly. With this in mind, you may need to invest in continuous training and development to identify the handling and execution of these requests.
Concerns of personal data and GDPR
Personal data refers to information about a specific individual, such as their name, location information, address and identification numbers, such as IP addresses or National Insurance numbers. This can even apply to photographs or videos, even if that material was not used maliciously. If someone can be recognised in an image or video, it usually constitutes their personal data.
It is important for all businesses that use promotional material such as videos and photos involving consenting subjects to be mindful of long-term personal data implications. Companies will have official data controls and privacy policies in place, as Craig Chapman at MPB - a leading supplier of used camera and video equipment explains, “We process and transfer personal data in order to manage our business and provide our services. We take all steps reasonably necessary to ensure that any shared personal data is subject to appropriate safeguards in accordance with EU rights and that it is treated securely.”
Personal data usage and sharing are complex and divisive topics. Numerous online services offer a seamless personal experience for people, but many have provided personal and trackable data for the privilege. Websites and online services may store the information you provide, and potentially share it with third-party vendors, suppliers or services. Any of this data can be used to identify someone, and if it were to fall into the wrong hands, such as a criminal, the consequences could be severe for the affected person, and also for the business that potentially didn’t safeguard the information properly.
Despite the prevalent discourse of security threats intensifying, many people feel reassured by GDPR and its legislation and are happy to let companies lawfully and ethically collect and process their data. However, others remain cautious over how third-party personal data is used, with concerns over their privacy and security remaining high.
A study by Capterra found that while a large proportion of consumers were willing to share their personal information if this led to better products and services, a sizable 44% of those surveyed expressed concern as to how companies used their data. Nearly two thirds of these consumers also confirmed they would check a company’s data privacy reputation before choosing whether to shop with them.
GDPR requires websites to request users’ consent before any data is shared or collected. The law applies to any company that collects information from people who live in the EU, and it does not matter where the company itself is based.
Best practices for GDPR and erasure compliance
Organisations must ensure that they have appropriate systems in place for secure data management, including mechanisms for the timely erasure of data where applicable. This may involve developing data retention policies that set out how long data should be kept, and when it should be deleted.
Organisations must also ensure that their privacy policies are clear and unambiguous and that they provide individuals with information about all of their rights under GDPR. This information should be easily accessible and written in clear and concise language.
The Right to Erasure is a fundamental right under GDPR that gives individuals control over their personal data. Customers and clients need to be confident that businesses have clear practices and procedures in place to honour this.
