This is the fourth post in our series to help businesses prepare for the EU General Data Protection Regulation (GDPR). To learn more, see our previous posts, “What GDPR Means for B2B Marketers”, “Does My Company Need a DPO for GDPR Compliance?” and “GDPR and Data Security: What You Need to Know.”
On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) will go into effect, and companies that do business in the EU will never look at personal data the same way again.
Since the dawn of business, companies have viewed the personal data they collect as their own property, leaving them free to do with it what they wished. The GDPR is turning this notion on its head and placing individuals firmly in control of their information — how it’s gathered and stored, how it’s processed, and what happens to it when they choose to end a relationship with the organization that collected it.
Among the rights that GDPR grants to data subjects in the European Union is the right to erasure, also known as the “right to be forgotten.” According to Article 17,
“The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay …”
The article goes on to enumerate the circumstances under which data subjects may invoke the right to be forgotten, including (but not limited to) the information no longer being necessary in relation to the purposes for which it was collected, the data subject withdrawing consent to use his or her data, and the data having been unlawfully processed.
As the May 25 draws closer, many organizations are facing questions about how to interpret this important requirement, how to go about meeting their obligation, and how to verify that requested erasures are handled properly. Having a thorough policy in place will help you address these questions and ensure that your organization is prepared to handle requests for erasure in a timely manner.
Which Parties Are Affected
As we’ve discussed previously, the GDPR makes an important distinction between data controllers and data processors. According to the EU’s official GDPR website, “A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.”
The GDPR is specific in assigning to data controllers the responsibility not only of erasing personal data at the request of the data subject, but also of informing any processors who handle the person’s data on its behalf. Article 17.2 states that when a request for erasure is made, the controller “shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.”
Exceptions to the Rule
Article 17.3 specifies that the right to be forgotten does not apply to the extent that processing is necessary
– “for exercising the right of freedom of expression and information,” which is being interpreted as applying to media organizations, as long as their actions do not impinge on individual rights
– for compliance with a legal obligation to which the controller is subject (such as document retention regulations)
– for reasons related to public health, such as preventing serious health endangerment or ensuring safety standards
– for archiving purposes related to scientific or historical research or statistical purposes
– for legal defense purposes, i.e., if the data is required for the organization to defend itself in a class-action lawsuit
Receiving Requests for Erasure
The GDPR does not specify a procedure for data subjects exercising the right for erasure, so your policy should cover all the means by which a request might be submitted. Consider all the various venues through which customers contact you, including:
– Face-to-face interactions
– Website chat
– Text message
– Mobile apps
Make sure that all personnel who handle customer communications are aware of this regulation and have a procedure in place for forwarding any requests for erasure to the appropriate team.
According to Article 12.3 of the GDPR, you have one month to notify the data subject “without undue delay” of the action taken on their request. The period may be extended by two further months if necessary, but you must notify the requester of the extension and provide the reasons for the delay.
Locating Personal Data
For most organizations, deleting a customer’s personal data isn’t a matter of pressing a single button. Retailers, for example, may have personal data stored in multiple systems, including sales, marketing, shipping, accounts receivable, customer support, and probably several others.
To ensure that your organization can process requests for erasure in a timely manner, it helps to have data flow diagrams and data inventories that show all the areas where personal data resides.
Erasing the Data
Include in your policy specific procedures for ensuring that data can be erased as requested from all applicable systems. If, for example, a request for erasure comes through the customer service team, how will that request be communicated to marketing, shipping, accounts payable, and all other areas that house personal data, and how will you verify that the data erasure is complete? The more specific you can be in the wording of your policy, the more smoothly the process will flow when a request for erasure does arrive.
Notifying Third Parties
Your data flow diagrams should encompass all transfers of personal data to third parties, and your procedure should include specific instructions for notifying these organizations of requests to erase data without undue delay.
True Influence Commitment
True Influence is committed to the privacy and integrity of our users’ personal data and will ensure that we meet or exceed all requirements to allow fast, easy, comprehensible access to and removal of a person’s information. To learn more, view our GDPR Statement.
If your organization does business with residents of the European Union, erasing personal data at the request of EU data subjects will have to become a part of your standard policies and procedures. Taking the time to develop a thorough policy around the right to be forgotten, with the help of your legal counsel, will benefit your organization on numerous levels. When a request for erasure does arrive, your team will know exactly how to handle it, and you can ensure that the request will be honored in a timely manner. Perhaps even more importantly, you can show your EU customers that you take GDPR compliance seriously, and they can feel confident that you are handling their personal data in a compliant and responsible manner.