One of the most (in)famous aspects of the GDPR is the Right to Erasure, (aka The Right to be Forgotten). But it’s not quite as simple as it first appears.
Article 17 of the GDPR states that data subjects have the right to have their personal data removed from the systems of controllers and processors under a number of circumstances, such as by removing their consent for its processing. It’s akin to requesting your neighbour return the lawnmower you lent them. It’s yours, and you want it back.
On the face of it, complying with this is a daunting task, and to add to the complexity, there are many cases where conflicting regulations will prevent the processor from complying with the request.
Article 17 of the GDPR, The Right To Erasure, states:
- Data Subjects have the right to obtain erasure from the data controller, without undue delay, if one of the following applies:
- The controller doesn’t need the data anymore
- The subject withdraws consent for the processing with which they previously agreed to (and the controller doesn’t need to legally keep it [N.B. Many will, e.g. banks, for 7 years.])
- The subject uses their right to object (Article 21) to the data processing
- The controller and/or its processor is processing the data unlawfully
- There is a legal requirement for the data to be erased
- The data subject was a child at the time of collection (See Article 8 for more details on a child’s ability to consent)
- If a controller makes the data public, then they are obligated to take reasonable steps to get other processors to erase the data, e.g. A website publishes an untrue story on an individual, and later is required to erase it, and also must request other websites erase their copy of the story.
Data might not have to be erased if any of the following apply:
- The “right of freedom and expression”
- The need to adhere to legal compliance, e.g. a bank keeping data for 7 years.
- Reasons of public interest in the area of public health
- Scientific, historical research or public interest archiving purposes
- For supporting legal claims, e.g. PPI offerings.
Out of Scope
- Non-electronic documents which are not (to be) filed, (i.e. it’s data you can’t search for), e.g. a random piece of microfiche, or a paper notepad, are not classed as personal data in the GDPR and are therefore not subject to the right to erasure.
Not Going to Happen
- Some personal data sets are impossible (or infeasible) to edit to remove individual records, e.g. a server backup or a piece of microfiche. Whilst these uneditable data sets are in-scope of the erasure Right, themselves they would be out-of-scope for erasure editing procedures due to their immutable nature. If you can destroy the whole microfiche and not worry about losing other data then great. It’s the “editing” of microfiche that wouldn’t be possible here.
The Real World
Once an organisation understands where all a subject’s personal data resides, an assessment must be made of what can be, should be, can’t be, and is infeasible to be erased. The exceptions above will commonly apply, such as legal requirements for data retention. But this doesn’t mean that the controller should keep the records “live” in an online system. To best protect the personal data it ideally should be archived away to a more protected and locked down system that meets the retention requirements and also goes as far as possible at meeting the data subject’s desire to be erased.
Importantly, these exceptions can’t be used as an override, e.g. allowing the controller to keep considering the subject as an active customer that they can keep marketing to. The Principles of GDPR should keep the controller focused on best serving the rights of the data subject as much as possible, whilst meeting their wider requirements.
Erasure is an area where there is no black and white on what must be done. Every organisation, every record and every piece of technology used will require a case by case assessment. For example, some processors provide more granular control of deletion of individual records in cold backups. Some provide none.
The key is to focus on what your rationale would be if you were stood in front of the regulator (e.g. ICO in the UK) or a judge in court. Would you be confident that you had a justifiable position on doing the “right thing” by the data subjects, doing the best you could and had given this enough focus and documented thought? Focus on answering this question and you should be in a solid position.