Erasure requests, otherwise known as the right to be forgotten is a basic human right and as such, are a principal component of the power GDPR is giving individuals over their personal data. Erasure requests give individuals the right to request that all the personal data a company holds on them be deleted. You can learn about the specific requirements and parameters of an erasure request through our previous blog, which covered the general requirements and details involved in an erasure request.
However, for companies who have received an erasure request, time is of the essence. If your company operate on a Dynamics 365 powered CRM system, handling an erasure request within the one-month time limit couldn’t be easier. Yet, due to the potential consequences of failing to carry out an erasure request properly, it is important that you learn how to effectively ensure you remove a client’s personal data in a GDPR compliant way.
Identify all the personal data related to the requestee
To start off with, it’s very important that you isolate and collate all the personal data related to the individual requesting for their information to be deleted. If any personal information that can identify the requestee is left behind, the company runs the risk of facing an investigation and potential fines from the ICO.
Luckily, Dynamics 365 provides useful tools for gathering all the information relating to an individual. By using the basic search feature within your Dynamics 365 CRM, you can quickly create specified search filters to isolate all the personal data that your CRM holds on a specific individual.
Deactivate the related contact
After you’ve identified all the personal data related to the requestee, it’s important that you deactivate the related contact within the Dynamics 365 CRM.
By deactivating the contact, you can prevent other CRM users from accidentally utilising the requestee’s personal data or contacting them after they have requested for it to be deleted. Should the requestee change their mind on the data erasure, the contact can be reactivated by a user with the appropriate admin clearances. This acts as a safety net, as well as peace of mind to ensure that once you have deactivated the contact, their information cannot be used.
Delete personal information
Once you’ve identified the related information, Dynamics 365 CRM will provide you with an overview of all the information held on that individual.
In this way, a user with the appropriate access privileges can remove the personal information currently within each field, such as email, mobile number, or address. However, if you have no legal or reasonable need to retain the user’s information (see our previous blog for examples of when companies may need to retain user data) the entire contact can also be easily deleted.
What comes next?
Once the relevant personal data or contact has been removed, the erasure request has been satisfied. For tracking purposes, Dynamics 365 CRM will record the activity conducted during the process of the erasure i.e. contacts being deactivated or individual data fields being deleted within the CRM system. Once an erasure request has been correctly satisfied, the requestee cannot ask for their information to be restored. The audit remains simply for the company to record any activity conducted within the Dynamics 365 CRM database.
Erasure requests are just one part of the many new requirements facing companies as data handlers and processors, be sure to have a look at our other GDPR blogs covering a range of different areas, from double opt-ins to subject access requests, to ensure that your company remains compliant.