GDPR Essentials: The Right to Erasure, Who Can Request it and How is it Applied?
Time is ticking: the implementation of the EU’s General Data Protection Regulation (GDPR) is less than 7 weeks away and companies are still struggling to come to terms with compliance. While some have already passed their audits and feel confident as we draw nearer to finding out the full extent of the GDPR’s enforcement, others are just now taking the first precautionary steps towards compliance.
Among the many requirements organizations must comply with, the right to erasure is one of the thorniest. A recent survey by big data application provider Solix found that 65% of respondents were unsure whether their companies can fully and permanently purge personal information from their systems. But what does the right to erasure imply, who does it apply to and, more importantly, what must companies do to comply with it? Let’s find out!
The right to be forgotten and the right to erasure
The GDPR’s article 17, detailing EU data subjects’ right to erasure is an extension of the EU-wide recognized right to be forgotten which mainly affected search engines operating in Europe. Based on the GDPR’s predecessor, the Data Protection Directive 95/46/EC, the right to be forgotten was the result of a landmark case in which the Court of Justice of the European Union ruled that an individual had the right to request that old, inaccurate or irrelevant data be removed from search results. The decision referred not so much to the deletion of the information in question as to its deindexing by search engines.
The right to erasure takes this concept one step further and enlarges it to encompass data stored and processed by companies. This means that EU data subjects are allowed to request and obtain the deletion of their personal data as long as:
- that data is not necessary anymore for the purposes for which it was initially collected and processed
- the data subject wants to withdraw consent for the data processing
- they use their right to object to the data processing
- the personal data in question was unlawfully processed
- the personal information has to be erased for compliance with a legal obligation in EU or Member State law to which the controller is subject to
- the personal data in question belongs to minors under 16 years of age
Exceptions to the right to erasure
Requests for data erasure can be rejected by data controllers and processors under special circumstances when:
- data is being processed while exercising the right of freedom of expression and information
- there is a legal obligation to process the data in question through the EU or Member State law to which the controller is subject to or it is a task that needs to be carried out in the public interest or in the exercise of official authority vested in the controllers
- there is a public interest in the area of public health
- in case of archiving in the public interest, for scientific, historical research or statistical purposes insofar as the deletion of the requested data might seriously impair the achievement of the objectives of that processing
- the data is needed to establish, exercise or defend legal claims
Since the right to be forgotten was cemented into European law, search giant Google has received over 655,000 requests for deindexing from its search results, amounting to over 2.4 million links, of which, 43.3% were removed. Big data processors and controllers in particular may find themselves dealing with similar numbers after May 25th. It is essential therefore that they have the right procedures in place to deal with requests when they receive them.
Requests can be made both verbally or in writing and need not follow any particular format. Companies must learn to identify these requests when they come in and ensure their personnel is aware that such requests can be made and need to be processed within one month from the time they are asked for.
The response time can be extended a further two months if a request is too complex or a number of requests are received from the same individual, but the data subject must immediately be notified if any such delays occur. If an organisation requires additional information to help identify the person making the request, they are not obligated to start processing the request until they receive it.
If a company chooses to refuse a request, it must inform the individual of the reasons they are not taking action as well as their right to complain to a supervisory authority concerning the decision and their ability to seek to enforce their right to erasure through legal action.
Companies are allowed to charge a reasonable fee for administrative costs in complying with a request only if it implies a disproportionate effort or is found to be manifestly unfounded.
These are the theoretical considerations of the GDPR’s right to erasure. But how can companies apply it in practice? Data discovery solutions such as Endpoint Protector’s eDiscovery module allow admins to search for customized content across an entire network’s endpoints. In this way, companies can learn if the data whose erasure is being requested is being stored locally on any employees’ hard drives and easily erase it where it is found.
As these requests for erasure are usually made to the data controller, it is their responsibility under the GDPR to inform any data processors authorized to process the data in question that the individual has requested the erasure of any links to, copy or replication of that personal data.
The GDPR however does make a small concession to companies in this case: the steps they need to take in this direction are limited to the available technology and the cost of its implementation. Organizations must take reasonable measures to ensure processors are aware of the request, but will not be at fault if the data is not completely erased by third parties.
For example, if a public listing for the rental of an apartment is made on a real estate website and that information is reproduced on forums or apartment rental groups on social media, the company that placed the initial ad is not expected to remove all these instances given it is unreasonable to assume it would be able to find them all.
In regards to whom the right to erasure applies to, according to the GDPR, any person located in the European Union falls under the incidence of its stipulations. This means that, in the case of data subjects, geographical location is key. A person’s nationality does not matter: as long as a person resides in an EU country, their privacy will be protected under the new regulation. This implies that companies cannot apply GDPR compliance policies on its data based on data subjects’ nationality, but must take into consideration their location.
The right to erasure, as seen through Google’s experience with the right to be forgotten, is likely to be one of the rights most sought after by EU data subjects. It is important therefore that companies plan ahead and ensure they have both efficient request processing procedures in place as well as a feasible method of finding and deleting all instances of a data set within all their systems.
Come May 25th, EU data subjects will have free rein to actively request that their data be erased and it is essential that organizations effectively and speedily deal with them when they come knocking.