The right to erasure, otherwise known as the ‘right to be forgotten’ is a core principle of GDPR. A person’s right to have their personal information removed from the system of a company is a basic right and something which GDPR aims to uphold. But as a company, how can you be sure that you satisfy a client’s right to erasure? Here’s our advice on how to ensure that your data erasure processes remain GDPR compliant.
Receiving an erasure request
As a data handler, it’s likely you will eventually receive a data erasure request. Previously, under the Data Protection Act (1998) anyone wishing to access their personal data held by a company would have to pay a £10 fee. Now, under GDPR, this is free. There are numerous reasons why an erasure request might be made, whether the individual has withdrawn consent, left the company or simply no longer wants you to hold their data. Regardless of their reasoning, it is you, as the company responsible for their personal data that must ensure it is appropriately removed within one month of receiving the erasure request.
Can I decline an erasure request?
It is possible to deny an erasure request; however, the request must fall under one of the Information Commissioner’s Office’s (ICO) specific exceptions. Outside of these reasons, an erasure request must be carried out within the one-month time limit.
Carrying out an erasure request
Once an erasure request has been submitted, it is the receiving company’s responsibility to remove all the personal data held on that individual. This includes both digital and physical information, so if some of their personal data is held on paper, this must also be removed. Only information which falls under GDPR’s specific definition of personal data is required to be removed. (We discuss this definition in a previous blog) The company will then inform the requester that their data has been removed from their systems.
How can I ensure my company remains compliant?
As we mentioned in our previous blog, it’s important to be proactive about compliance. By beginning to examine your processes for handling data now, you can find and address issues which may prevent or delay your response to requests such as erasure. General data handling issues such as data silos can also have a significant impact on your company’s ability to access and remove all the personal data held on an individual, so ensuring that all the personal information your company holds on someone is accessible is important.
Why you should act now and how City Dynamics can help
As we discussed, when it comes to GDPR compliance, being proactive definitely has its benefits. Its likely that many companies, especially larger firms will be inundated with GDPR related requests. Making sure your company is prepared to deal with this ahead of time is a definite must. However, this can be confusing and if you’re looking more information regarding erasure requests, definitions of personal data and other major points of GDPR you may want to attend our GDPR webinar that we’re hosting on the 9th of March. We’ll be discussing these areas, as well as much more with data security and GDPR expert Carl Gottlieb. Be sure to keep an eye out for announcements regarding registration on our site soon.