There are 23 days to go to GDPR D-day! On the 25th May, the EU General Data Protection Regulation will be enforced.
There is one particular area of the regulation that seems to be attracting an awful lot of attention and is being debated by many. It is the right to erasure, also referred to as the right to be forgotten.
Despite the attention that this right is getting, it’s important to remember that it is just one piece (a small part) of the GDPR puzzle. The entire privacy framework must be implemented.
The right to erasure-what is it?
Article 17 of the GDPR specifies the data subject’s right to erasure. It is the right that the data subject has to request the erasure of personal information under certain circumstances.
The article outlines the circumstances under which the right should be exercised:
- The data is no longer necessary for the purpose for which it was originally collected or processed
- The data subject withdraws consent for the processing of their data, supposing that there is no legal justification to be processing the data
- The data subject objects, rightfully, to the processing of their data and there are no legitimate grounds for processing to continue
- The data must be erased for compliance with a legal obligation in the EU
- The data is being unlawfully processed and in breach of the regulation
Organisations are not required to comply if the processing is:
- Necessary for exercising the right of freedom of expression and information
- For use (establishment, exercise or defence) of legal claims
- For complying with EU and legal obligations
- Used in the wider public interest
- Used for health reasons
- For archiving for historical or scientific and statistical reasons
The right to erasure is causing organisations to panic, but why?
The right seems quite straightforward, but the complete removal of a person’s data can be complicated-especially in the digital world in which we work and function. There are so many reasons why this right seems to stand out from the rest and gain the interest that it has. Below are some of the reasons why some organisations are concerned…
- The DPD in contrast to the GDPR seems to limit the right
The DPD limits the right by allowing erasure only if the processing causes unwarranted and substantial damage or distress to the data subject. This is quite subjective since it may take very little to cause distress to one person and the same situation may not even phase another at all. However, under the GDPR the data subject can request to have their data erased for many other reasons (see them listed above).
- Ability to action the right
The right to erasure seems to be causing additional strain, perhaps, due to the complexities that arise from it as well as the intricacies to ensure that the right can be actioned. As it involves so much more than merely deleting or removing some information on request.
- The data spread is huge
Many modern-day businesses depend on data and have built their business models on data resulting in a broad spread of information. With the right to erasure, EU citizens can request that a business remove their personal data from their databases. Leaving many organisations concerned, as many still do not have the capabilities to search for, identify and erase personal data. If they can’t even locate the data that they hold, how will they be able to satisfy the request? All organisations controlling and processing personal data are affected.
- Historical haphazard collecting of data and in varied formats
Organisations may find this right more challenging to handle if they have collected data over an extended period of time and in a variety of formats (which many businesses have been doing). So, a process is essential to enable the capability to action this right when requested. Thus, many are realising that this specific area of the GDPR needs a lot more thought to remedy.
- The breadth of the right
Businesses controlling how personal data is processed are responsible for it and must be able to comply. If requested, all the personal data in question needs to be located and erased and any copies and replicas must be deleted too. If the data was shared for processing purposes, the relevant parties must also be informed of the data erasure request. If the data was made public, all references to the person from every webpage, news article, search results or database must be removed. It is more complicated when delved into, hence the anxiety it is causing.
- Not understanding the right
There’s further confusion, as to when the right to erasure should be promptly exercised and when (if ever) an organisation can refuse to fulfil the right and when it is OK to do so. A better understanding of the broader picture is needed.
- Seems like an uphill task
The right to erasure can be seen as a massive ask and a large undertaking for many businesses, especially since many are still trying to get their heads around the type of data that they process and hold and where it all is.
- Tackling the GDPR has been left way too late
Many businesses have come to the GDPR ‘party’ very late and are now feeling the pressure that little bit more. Having said that, with days to go to enforcement, some businesses are yet to arrive at the ‘party’ and haven’t even realised the urgency! Aren’t they in for a surprise!?
- Fear of crippling fines for non-compliance
Inadequacies within a business that result in companies not being able to delete user information and observe the right (and other rights of the data subject) when requested will mean that the company is not GDPR compliant. There is a palpable fear that these incapability’s will result in an instant fine of €20 million or up to four percent of global revenue, which is crippling for many businesses.
Although businesses should definitely be doing their utmost to have the processes in place, both organisational and technical, to secure the data, observe the rights of the data subjects and to comply with the regulation. If a gap is found but an organisation can show that they are taking the right measures and the steps to achieve compliance – room for rectification is likely to be given and fines are not likely to be handed out unnecessarily.
The GDPR is not there to damage businesses. It is there to ensure that the data subject’s data is treated correctly so that their privacy and security is maintained.
The GDPR is highlighting where there’s a disregard for privacy
The right to erasure, in particular, is compelling everyone from the smallest business to the biggest players to act. To do what is right for the data subject: their customers, users, subscribers and members.
Google is a prime example of the bearing of the right. Google has already faced court actions relating to the right to be forgotten. Google claims to have received between 2014 and 2017, under the right to be forgotten, requests to de-list 2.4million URLs from searches, primarily relating to personal information and legal history. Individuals can ask to have a page de-listed if it is inaccurate, inadequate or irrelevant.
The GDPR, in general, is clearly highlighting where there is a disregard for privacy in EU organisations and even in other areas of the world. It is making people aware of their privacy rights and allowing for change so that individuals can easily assert these rights.
Although the right to erasure (like the regulation) is an EU right, many organisations are global and cross borders, so the procedures that are required to protect the privacy of EU citizens may also extend further than the EU and have a global impact.
As it stands many other countries outside of the EU take a varied approach to people’s privacy and some privacy policies are quite fragmented in comparison to the GDPR and the related privacy rights for EU citizens.
The right of erasure relies on both individuals and organisations to monitor and implement it. Accountability is key. Individuals will hold organisations accountable and thus organisations will have solutions in place. Everyone is involved in the regulatory process.
However, the regulation makes sure that this is kept in context with the broader privacy framework by putting criteria in place for the secure and lawful collection, sharing and processing of personal information (hence, the circumstances for when the right does not apply).
The right to erasure is necessary to support personal privacy in a modern, digital age
The right has been introduced for the correct reasons to support personal privacy by removing outdated, inaccurate or irrelevant information and it is necessary for this advanced digital age.
The balance is fundamental and the success of this right and the regulation in its entirety will hinge on the ability to defend the right of erasure and the other privacy rights of EU citizens not only in the EU but globally to make sure things are working as intended.