Data compliance laws are constantly shifting and evolving to accommodate the growing challenge of an ever-evolving global data landscape. One of the most challenging aspects of data compliance involves data privacy laws, specifically personal data erasure, also known as the “right to deletion” or the “right to be forgotten.” Under the GDPR, this right extends to all EU residents, but many other countries and states have adopted similar laws that were modeled on the GDPR, like the CCPA in California, PIPEDA in Canada, or the LGPD in Brazil.
This article will tackle the right to be forgotten under the GDPR, how this obligation can impact your business operations, and best practices for complying with this right after receiving a DSAR (data subject access request) from a customer.
In the simplest terms possible, the “right to be forgotten” is a part of the EU’s GDPR (General Data Protection Regulation) that says any individual can request that their personal data held by an organization be erased by the organization. This is a law intended to protect individual privacy, and was created in the aftermath of incidents like the Equifax, where a malicious data breach exposed the private information of millions of consumers.
The data erasure process first starts with an individual petition, submitted by the verbally or in writing, to have their personal data erased from your systems. There is no specific form that individuals will have to submit to your business for the erasure process to begin, and there are not yet any specific laws that indicate certain departments in your business must be contacted for the petition to be valid. However, companies must respond to these request within 30 days, so it behooves them to have a process to handle these types of DSARs (Data Subject Access Requests) in an efficient manner. Many companies will have a DSAR form on their website, which is directed to the company’s DPO (Data Privacy Officer), or the department that handles such requests, and a data privacy management technology to track the timely handling of such requests.
An individual petition for data erasure will generally apply to any consumer or individual who no longer wants your business to have access to any of their personal information. The three main scenarios where the right to erasure is applicable include:
1. The Data Is No Longer Necessary
It may be the case that personal data collected from consumers is no longer relevant to the operation of your business. This scenario is specific for data that no longer serves the purpose for which it was collected and for data that is not useful for statistical information.
2. Data Consent Is Withdrawn
Consumers have the right to withdraw their consent for your business to store their personal information at any time. If a consumer submits an erasure petition and if there is no legal purpose to hold and process their data, data compliance laws dictate that you are required to honor that request. This is especially true in cases where data is collected about children and the child does not consent to the storage of that data.
3. The Data Has No Overriding Legitimate Purpose
You are also required to honor erasure petitions if there is no overriding legitimate purpose to continue processing the individual’s data. The best example of this is if you are using the data for direct marketing but the individual now objects to the use of their data for this purpose because they no longer wish to do business with your organization.
While it’s important for businesses to comply with this GDPR requirement for data compliance purposes, there are a couple of specific scenarios where the right to erasure does not apply, and the company should deny the DSAR. These scenarios include:
1. The Data Is Needed for Legitimate Purposes
If an individual’s data is still required for legitimate purposes, such as processing legal claims or information for healthcare services, you may not need to comply with a petition. Legitimate purposes to continue the storage and processing of personal data in spite of a petition also include the ability to perform tasks for public health or public benefit.
2. The Data Is Necessary for Archiving
You may also not need to comply with data erasure requests if the personal data is necessary for archiving purposes. Good examples of this include data that is used for public health purposes, social services and systems, preventative and occupational medicine, or for the overall management of social or healthcare services.
3. The Request is Made by Another Business
As it is, the right to erasure applies purely to individuals themselves and not to businesses. In other words, an organization cannot lobby another organization to erase data, because an organization is not legally an individual.
You should be aware of two important factors for personal data erasure, which are:
If you have received a petition from an individual that is both reasonable and legitimate, then you are legally obligated to erase their personal data from your systems. A reasonable request for data erasure means that the request falls under the eligibility rules, meaning that the request for erasure will not impact public health and is not necessary for the management of social or healthcare systems or services.
Honoring requests also means that the request is neither malignant nor excessive. In other words, the request for data erasure is ideally not made to specifically harm or defame your business, and it is also not made in unreasonable quantities. It’s important that each data erasure request is evaluated for the validity of the claim and that any data erased will not violate the necessary storage of data that is relevant to archiving or statistical information.
You should also know that honoring erasure requests requires that duplicate data or data stored on backup systems is also erased. Depending on your data storage and backup methods, this might mean that the personal data will be present on the backup system until it is overwritten. If this is the case, it’s the duty of your business to inform the individual petitioner of when all of their data has been erased from both your live and backup systems.
Aparavi’s seamless, cloud-based data privacy management solution can help your company stay in compliance with the GDPR and “right to be forgotten” DSARs. Aparavi enables you to quickly locate data in one single user interface, across multiple storage devices, regardless of where the data is located (in the cloud, core or edge). You can easily use our query feature to create powerful searches and find personally identifiable information (PII) for the requesting customer, and take the necessary action to delete or redact the information. With The Platform, you can create a “before” and “after” report showing that the information was in fact deleted from the database.
In addition, our pre-defined classification policies make it simple to find any PII across your storage locations, with “click-to-apply” functionality that shows you where the information is located, and who has access to those files, and any other metadata that exists about the files. The Aparavi Platform also ensures that those policies are updated automatically to keep up with any new or modified regulations.
All consumers have the right to withdraw their consent for your organization to use their personal data, and that means that businesses are obligated to honor erasure requests within legitimate parameters. For more information about how the “right to be forgotten” can impact the operation of your business, contact Aparavi today.