Don’t Forget The Right to be Forgotten
When Catwoman battled Batman in the Dark Knight Rises, all she wanted was her digital data to be erased so she could be “forgotten”. Little did she know that had she simply become an EU resident, the process would have been a whole lot easier.It all started in 2010 when a Spanish citizen noticed the auction of his repossessed home was still visible online long after the event. He requested an online newspaper and Google Spain remove or alter his information so it wouldn’t be shown in search results, and on May 13th, 2014, the E.U. court ruled in his favor. The rest, as they say, is history. The seed had been planted for what would become the European Union’s General Data Protection Regulation (GDPR).An important part of this legislation means businesses will have to find and delete any stored personal data if requested by an E.U resident, and it’s changing the way data is being handled by businesses. Knowing how and when this legislation applies is key to avoiding a huge fine or scrambling to process a request to be forgotten.The right to be forgotten isn’t quite as simple as it seems but in a nutshell, any E.U citizen has the right to request personal data be erased when:
- the data is no longer relevant to the purpose for which it was collected
- the individual withdraws consent.
- there’s no more interest in continuing the processing.
- the personal data was processed unlawfully
- there’s a legal obligation to erase the data
There are certain circumstances where a right to erasure won’t qualify. Most of the time it depends on the data and the reasons behind it being processed and stored, but in general, businesses can refuse if:
- they can exercise the right of freedom of expression and information
- they can comply with a legal obligation, the performance of a public interest task or the exercise of official authority
- the data is related to public health purposes in the public interest
- data is being archived in the public interest, for scientific research historical research or statistical purposes
- a defense or legal claim is made
An often overlooked element of this EU right is how it applies to children’s personal data. When it comes to handling any data related to a minor, organizations must be more vigilant on exactly how it’s being processed and stored. The GDPR puts a lot of emphasis on how children’s data is processed and aims to seriously enhance their online protection.When processing the personal data of a child, pay particular attention to how and where they consented for their data to be processed - especially on social media and online forums. It could be ruled that a child may not have been fully aware of the risks of their data being processed, making most steps toward obtaining consent difficult. Another factor not to overlook are the third parties your organization may have disclosed data to. If any of your customer data is shared with a third party you’re required to inform them about any request for erasure. The GDPR is very explicit on this point and clearly clarifies that companies who make personal data public need to set up a process to delete links, copies or anything related to the replicated data.Setting up a process to control your data across multiple sites can seem like a daunting challenge. It’s common practice for many organizations to use social networks, forums and partner websites as part of their content strategy - and a clear process will be needed to comply fully.Last but certainly not least, businesses need to implement effective user interfaces so their customers know exactly how their data will be used. It’s been stated that organizations should communicate with users “in a concise, transparent, intelligible and easily accessible form, using clear and plain language.” The GDPR also requires you to provide “modalities” for users to exercise their data rights. These modalities should become a cornerstone of your user interfaces and customer support services. Displaying your attempts to fully comply with erasure requests will work in your favor in the event of a GDPR investigation or lawsuit, so while this preparation may seem arduous - the protection it’ll provide will be priceless.The GDPR is here and there’s no turning back. But it doesn’t have to be all doom and gloom. With well thought out application orchestration, it’s relatively easy to connect your systems and touchpoints into a single, controllable, centralized flow - all of which can be used and understood by anyone in your organization. A likely (and useful) side-effect of the right to erasure is that it’ll likely force companies into building a single customer view - making them more data-smart over time and with a clearer, cross-channel picture of their customer’s behavior.Attend webinar to learn more about GDPR after the May 25th enforcement.