The right to erasure: when to delete personal data
On May 25th 2018, after years of anticipation, GDPR firmly landed on the data and privacy scene and set about revolutionizing our data-heavy lives.
At the heart of these new legislations and regulations was the promise that regular individuals would have more control over personal information handled by organisations, allowing people to better manage who has access to their data and how it is used.
Article 17, the right to erasure, plays a key role in upholding this fundamental GDPR purpose. Under the article, which is also known as ‘the right to forget’, individuals are able to request that an organization deletes their personal information from live and backup systems.
However, with its list of exemptions and easy request processes, this article is anything but clear cut and has caught out many businesses – including Google, who were handed a hefty €7 million fine for their lack of Article 17 compliance in March 2020.
In the first of our ‘Article spotlight’ series, we break down this potentially costly GDPR legislation and pass on our insider tips for how to be best prepared for an Article 17 request.
What is the right to erasure?
Outlined in Article 17, the ‘right to erasure’, states that an individual has the right to obtain from the controller (your company) the deletion of their personal data without ‘undue delay’.
This applies to data scenarios where:
- Your business no longer needs the data for the original reason it was collected or used
e.g. When someone cancels a subscription to your service and you no longer need their online or postal details.
- Someone withdraws their consent
e.g. After a person has unsubscribed from your company newsletter and they don’t wish to receive this form of communication anymore.
- An individual objects to your use of their data and there are no legitimate grounds for you to continue to process their data
e.g. An individual ended their membership with your company but you continued to use their data for internal research.
- Data has been collected or used unlawfully
e.g. You sent direct marketing material to a customer who did not opt in to receive communication to their home address.
- Your organization has a legal obligation in Union or Member State law to delete the data
e.g. If you work for a bank, you may need to delete information about a customer’s loan or debt once a certain amount of time has passed since receiving the final repayment.
- Data was collected from a child aged under 16 years old
e.g. A minor uploads a video to your online platform and later requests that it be taken down.
When can your company refuse to delete personal data?
There are a few stipulations that can negate someone’s Article 17 request. These exemptions include:
- Exercising the right of freedom of expression and information.
- To comply with a legal obligation where the data subject or processing is carried out in the public’s interest.
- For reasons of public interest within statistical purposes, or scientific or historical research.
- For the establishment, exercise, or defense of legal claims.
- If a request is manifestly unfounded or excessive.
If you decide to refuse an individual their right to erasure, remember to take into account that this is likely to have an impact on your client relation and/or company reputation, so you have to be confident that your counterclaim clearly falls within exemption territory.
You can find more information about exemptions via this helpful ICO guide.
How can someone request for their data to be deleted?
Here’s where the likes of Google have been stung in the past – there is no specified process for making a valid Article 17 request.
Individuals can submit a request verbally or in writing to anyone or any point of contact in your company. They don’t need to use any particular language or mention ‘Article 17’ or ‘the right to erasure’.
As long as their request adheres to the list of data scenarios above, your company is responsible for ensuring the erasure process is followed through.
What action should a company take when they receive an Article 17 request?
Once a request for deleting personal data is received and recognized as valid, you need to start the process of erasing the specified data from live and backup systems with ‘undue delay’.
From the moment you receive a request, it’s important to let the data subject know the exact processes you’ll be taking and the timeline you’ll be following so they feel confident in and assured by your actions.
For example, you may be able to delete their data immediately from a live system but unable to access your backup system until a later date.
Make sure you clearly communicate when the data will be deleted and in the meantime, mark this data ‘beyond use’ so it is not used for any additional purposes.
At the very latest, ‘undue delay’ means complying within a month of the request, or within a month of receiving the information you need to confirm an individual is the owner of the data.
If a request is complex or excessive, you’re entitled to a couple of extra months to make sure the data is deleted. In this instance, you may also be eligible to charge the data subject an admin fee.
However, typically you cannot ask a data subject to pay for access to or removal of their data – a lesson hard-learned by Bureau Krediet Registration who were fined €830,000 in July 2020 for billing customers who wanted to access personal information more than once a year.
How are third parties impacted by the right to erasure?
When an Article 17 request is made, you must contact every other person or organization that you have disclosed the data to.
A data subject is also allowed to request that you inform them of who else has, or has had, access to their data and update them on whether or not you have contacted these external parties to let them know they wish for their data to be deleted.
If the data in question has been made public in an online environment, (such as on a forum, website, or social media platform), you must either delete it or demonstrate that you’ve taken reasonable actions within your technical and financial control to remove this data.
What steps can your company take to be better prepared for dealing with Article 17?
There are a number of ways you can make responding and managing a right to erasure request easier for your team:
1. Use effective data mapping
According to Gartner, two-thirds of businesses say it takes them two or more weeks to retrieve a single data request.
When the clock is ticking on your erasure process, this can be stressful for your team and frustrating for the person who made the request.
Data mapping software provides you with a clear overview of the data you manage, resulting in a quick and pain-free retrieval process. With greater oversight, you also have the ability to see which third parties have access to datasets (and therefore who must be contacted when a request is made).
2. Educate staff on the importance of Article 17
As requests for erasure can be made verbally or in writing to anyone or any point of contact in your company, there’s a risk of the request being ignored or not being met within the designated time frame.
Minimise this risk by making sure everyone in your enterprise is aware of an individual’s right to have their data deleted and the need to pass on verbal and/or written requests as soon as possible to the person or department responsible for carrying out this GDPR activity.
3. Implement a process for right to erasure requests
From the moment someone receives a request for their data to be deleted, a staff member should have clear guidelines to follow: they should know how to recognize an Article 17 request, who to contact, and what to say to the data subject.
The team or individual managing the request must also have a streamlined process of removing this data from live and backup systems, with deadlines assigned to each step.
4. Maintain consistent and transparent communication
As soon as you are contacted by someone making a request for erasure, you must be clear, honest, and upfront in your handling of the matter.
Delays in responding to requests or confusion over how and when you’ll be deleting personal data will only lead to unhappy data subjects, which isn’t good for business or reputation.
It’s a good idea to create some pre-approved templates or set up automated emails to use throughout key stages of the erasure process. These updates will save you time and ensure you continue to stay compliant.
If you’d like to learn more about how to delete personal data correctly or would like further expert insights into your data compliance process, our team of GDPR consultants would love to talk. Simply contact us here, and we’ll be in touch.