GDPR Week #14 – Erasing, Forgetting and Remembering
The Right to Erasure is one of the 8 key rights for data subjects enshrined in the GDPR and the Data Protection Bill (www.ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/). If you are responsible for ensuring both data protection compliance and a good customer experience, then how to manage the right to erasure – more commonly referred to as the right to be forgotten – needs to be high up on your list of GDPR challenges to address.
The Right to Erasure is one of the 8 key rights for data subjects enshrined in the GDPR and the Data Protection Bill (www.ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/). If you are responsible for ensuring both data protection compliance and a good customer experience, then how to manage the right to erasure – more commonly referred to as the right to be forgotten – needs to be high up on your list of GDPR challenges to address.
For starters, one task that many organisations will find very difficult will be to even be able to identify what personal data they hold on prospects or customers – which is something we also looked at in Week #2 when considering SARs (Subject Access Requests) www.channeldoctors.co.uk/blog/31-week-2-know-your-sars-from-your-elbow. If you find it difficult to identify and collate all that data then you are likely to be looking at a slow, complex and costly solution, be that either through new or enhanced data management technology or laborious manual processes.
However, even if you can easily fulfil an erasure request technically there are other things you need to consider:
- Erasure is a right, but it’s not absolute or indisputable. There are likely to be plenty of reasons why you can’t erase someone’s personal data even if you wanted to – e.g. you have a contract in place; you need the data because the law or a regulator requires you to – so are your front-line staff equipped to explain that?
- What will you need to do in order to satisfy yourself that the person who is asking for data to be erased is actually the data subject and not someone impersonating them?
- If, for instance, someone wants to stop receiving marketing contacts and materials mightn’t you be better off adding that person to a suppression list rather than simply deleting their data altogether? This is especially the case if you acquire new prospect data over time, in which case if the original data subject ‘re-emerges’ then you are likely to end up marketing to them once more
- So, in order allow a prospect or customer to be forgotten you might need to ensure you remember who they are…
It’s a potentially tricky business. In which case we had better leave the Right to Data Portability to another week!
