By now your business should have heard, and potentially be compliant with, the General Data Protection Regulation (GDPR).
This EU data privacy law requires all businesses that offer goods and services to individuals in the EU, reside in the EU, or monitor consumer behaviours in those markets, to comply with new data collection and usage standards.
One of the most important aspects for companies looking to comply with GDPR regulations is the “right to erasure” - otherwise known as the “right to be forgotten”. In this blog, we will explain exactly what this means and when it applies to your organization’s data privacy strategy.
What is the right to erasure?
The right to erasure appears in Article 17 of the GDPR. It states that “the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay” if one of a number of conditions apply.
Consumers have the right to have their personal data erased if any of these conditions are met:
- The personal data is no longer necessary in relation to the purposes for which it was collected or processed by the organization.
- When the individual no longer consents to the organization using their data.
- If the individual objects to their data being processed.
- The personal data has been unlawfully processed.
- If there is a legal obligation or ruling to erase the data.
- If the data being processed relates to the offer of information society services to a child.
When an organization has made personal data public and is obligated to erase it, taking into account available technology and cost of implementation, they must take reasonable steps and technical measures to inform all data processors processing the personal data that it should be erased.
The right to erasure greatly increases a consumer’s control over the distribution and usage of their personal data. This means that companies which collect and use data in the EU market must be able to not only prove the need for the data they hold, but must implement plans that allow them to quickly and securely erase data if required.
Are there any exceptions to the right to erasure?
Once a customer has activated their right to erasure, the data must be erased without undue delay. In most circumstances, the “without undue delay” clause is generally considered to be a maximum of one month.
However, the right to be forgotten or the right to erasure is not an absolute right for consumers based in the EU. While consumers have the right to have their data erased if any of the above conditions are met, there are exceptions where an organization may retain personal data.
The right to erasure does not apply when personal data is necessary for:
- exercising the right of freedom of expression and information;
- compliance with a legal obligation;
- reasons of public interest in the area of public health;
- the purposes of archiving in the public interest, scientific or historical research, or for statistical purposes;
- for the establishment, exercise and defence of legal claims;
- also for legal basis for the company.
If your organization collects, stores and manages data from customers in the EU, then it’s absolutely essential that you are compliant with GDPR regulations. The right to erasure is a huge part of those regulations, and your company should have a transparent data privacy strategy that gives customers the opportunity to withdraw their data.
Are you concerned that your business isn’t compliant with the GDPR’s right to erasure legislation? Contact Enzuzo today. Our team of data privacy experts will answer any questions you have.