GDPR: Don’t Forget The Right to be Forgotten
As a part of the GDPR businesses will have to find and delete any stored personal data if requested by a EU citizen, and it’s this part that’ll change the way data is handled in Europe and beyond.When Catwoman battled Batman and the foes of Gotham City in the Dark Knight Rises,all she wanted was her digital data to be erased so she could start again. Little did sheknow that before long (and back in the real world), the EU would require companies toallow its citizens to erase personal data processed and stored by businesses.It all started in 2010 when a Spanish citizen noticed the auction of his repossessedhome was still visible online long after the event. He requested an online newspaper,and Google Spain, remove or alter his information so it wouldn’t be shown in searchresults. On May 13th 2014, the EU court ruled in his favor and the seed was planted forwhat would become “the right to be forgotten.”[caption id="attachment_9362" align="alignright" width="184"]
Kris Lahiri, Chief Security Officer, Egnyte.[/caption]As a part of the GDPR businesses will have to find and delete any stored personal dataif requested by a EU citizen, and it’s this part that’ll change the way data is handled inEurope and beyond. Knowing how and when this legislation applies is key to avoiding ahuge fine or scrambling for a process after a request has been placed; so to make it alittle easier, I’ve outlined the basics below.The right to erasure isn’t quite as simple as it seems, but in a nutshell any EU citizenwill have a right to request personal data be erased when:
- the data is no longer relevant to the purpose for which it was collected
- the individual withdraws consent.
- there’s no more interest for continuing the processing.
- the personal data was processed unlawfully
- there’s a legal obligation to erase the data
There will be certain circumstances where a right to erasure won’t qualify, so it’s handy to know when you can refuse a request. Most of the time it depends on your data and the reasons behind it’s processing/storage, but generally you can refuse if:
- you can exercise the right of freedom of expression and information
- you comply with a legal obligation, the performance of a public interest task or the exercise of official authority
- your data is related to public health purposes in the public interest
- you’re archiving data in the public interest, for scientific research historical research or statistical purposes
- you exercise the defence of legal claims
An often overlooked element of the right to erasure is how it applies to children’spersonal data. When it comes to handling any data related to a minor, organizationsmust be more vigilant on exactly how it’s being processed and stored. The GDPRputs a lot of emphasis on how children’s data is processed and aims to seriouslyenhance their online protection in the future.Read more: The Ultimate GDPR Checklist: 8 Things Everyone Needs to Do Before May 2018 When you’re processing the personal data of a child, you’ll need to pay particularattention to how and where they consented for their data to be processed –especially on social media platforms and online forums. It could be ruled that a childmay not have been fully aware of the risks of their data being processed, makingmost steps toward obtaining consent difficult.Another factor not to overlook will be the third parties your organization may havedisclosed data to. If any of your customer data is shared with a third party you’ll berequired to inform them about any request for erasure. The GDPR is very explicit onthis point and clearly clarifies that companies who make personal data public need toset up a process to delete links, copies or anything related to the replicated data.Setting up a process to control your data across multiple third party sites can seemlike a daunting challenge. It’s common practice for many organizations to use socialnetworks, forums and partner websites as part of their content strategy – and a clearprocess to cover them all will be needed to comply fully.Last but certainly not least, businesses will need to implement effective user interfacesso their customers know exactly how their data will be used before they engage withyour business. It’s been stated that organizations should communicate with users “in aconcise, transparent, intelligible and easily accessible form, using clear and plainlanguage.”Read more: GDPR: Should Your Organisation Purchase Cyber Insurance? The GDPR will also require you to provide “modalities” for users to exercisetheir data rights. These modalities should become a cornerstone of your user interfacesand customer support services. Displaying your attempts to fully comply with erasurerequests will work in your favor in the event of a GDPR investigation or lawsuit, so whilethis preparation may seem arduous – the protection it’ll provide will be priceless.The GDPR is coming and there’s no turning back. But it doesn’t have to be all doom andgloom. With well thought out application orchestration, it’s relatively easy to connect your systems and touch points into a single, controllable, centralized flow – all of which can be used and understood by anyone in your organization.A likely (and useful) side-effect of the right to erasure is that it will force companies into building a single customer view -making them more data-smart over time and have a clearer, cross-channel picture of their customers and their behaviour.- See the featured article on Computer Business Review