GDPR and the Right to be Forgotten: How to process requests for erasureby
How should you implement the Right to be Forgotten? Experts share best practices for dealing with customers who exercise their right to erasure.
In an ongoing series, MyCustomer speaks with a panel of experts to try to bring clarity to some of the more opaque areas of the impending General Data Protection Regulation (GDPR).
So far, we have examined the issue of “legitimate interest”, with our team of experts answering what legitimate interest is and how to know if your use of data qualifies.
We have also explored repermissioning - specifically, how to know if you need to repermission your customers for consent to continue using their data, and best practices for repermissioning.
In the latest in the series, the panel is exploring the Right to be Forgotten.
How should you implement the Right to be Forgotten?
Kim Smouter, the head of Government Affairs at ESOMAR
The ‘Right to be Forgotten’, or the ‘Right to Erasure’ under the GDPR, came into the spotlight with the now well-known case involving Google and has since been integrated into the new legal framework. It essentially means that any information held on the individual should be removed from your database and this has to be done within a month of the request being submitted to the organisation.
In practice, what this will mean for organisations is firstly having systems, databases and solutions that allow for this level of intervention, and secondly having the procedures in place to ensure that effective deletion takes place following receipt of the request. This might mean having to audit your systems and solutions to make sure these features exist and if they don’t to upgrade to new versions that allow for these sorts of intervention or to migrate to new solutions that will allow it. The impossibility of your organisation to respond to such a request due to technical incapability will not be an acceptable reason to request a request coming from a data subject.
Similarly, one of the challenges the organisation might face is that the information could be duplicated or triplicated in back-ups or the information might be found also with partners, as part of the right to be forgotten these back-ups must also have this information removed as well and this is where it gets particularly tricky. The law also requires organisations to take reasonable steps to inform and secure from partners the deletion of information the data subject has asked to be removed.
Some top tips:
- Audit your systems, databases and softwares to ensure they allow you to delete data at an individual record level.
- Make sure you have procedures and contracts in place that enable you to enforce the same requirement on your processors and their sub-processors so that you can guarantee effective erasure.
- Consider implementing anonymisation techniques as quickly as possible so that you are not able to link the information back the individual and therefore not fall under a right to be forgotten request.
Paul Laughlin, founder, Laughlin Consultancy
First, be clear as to the basis for the request for erasure of personal data. There are several valid reasons, including withdrawal of consent, data no longer needed to fulfil purpose originally communicated, data subject objects to your processing and you have no overriding legitimate interest basis, or your use was a breach of GDPR. However, I caution clarity on the case for erasure, because it’s not an absolute right.
With regards to how to implement such a request, the starting point is the work all organisations should have done as preparation – an audit of data you hold. One of the biggest challenges for many businesses is their lack of a single customer view. Disaggregated or disconnected customer data risks you only deleting some of the data you hold on an individual. Poor data quality can make this situation worse.
Minor discrepancies in customer data records, could mean you appear to have only deleted one version of your data on a person, while still processing or communicating using a slight variant. For this reason, investing in data quality improvement and more complete customer data indexing, is a sensible precaution before receiving your first request.
Your audit of personal data will probably reveal that different elements are held across your landscape of new and legacy systems. Prior to receiving a request, ensure you have a good understanding of the work involved for each system.
How long will it take you to find customer data on different systems? How interconnected are records, do you even have systems where it is not possible to delete data completely? Those systems which process data in a way that impacts customers (e.g. communications, service or product actions) should be prioritised for erasure. You should be able to justify why you prioritised certain deletions and why the time it takes is ‘reasonable’.
Given that the cost, or viability of deleting certain records, may be disproportionate to the impact on customers, it is also worth considering alternative mitigations. It may be sufficient to isolate data from processing (or wider user access). For some situations you might also consider the acceptability of aggregation or even just pseudonymisation. Your litmus test should always be is this action ‘reasonable’ and proportionate to any current or potential impact on the data subject. Honour deletion legitimate requests whenever you can, but be prepared for the possibility of a whole industry of agencies submitting bulk requests on behalf of clients. Once again, prioritisation and a prescribed process should help defend reasonable response times.
Your preparation for GDPR should have also included identifying any data processors or other organisations with whom you share personal data. Remember that you have a responsibility to also notify them of requests for erasure. As with your own actions to delete personal data, you should take ‘reasonable steps’ to do so, ‘without undue delay’.
Finally, be aware of your extra responsibilities with regards to children. As well as needing to take reasonable steps to identify that any personal data you hold belongs to a minor, they also have extra rights to deletion. They continue to hold the right, throughout their life to withdraw past consent and claim they did not appreciate the implications of sharing their data with you. The ICO is likely to always defend this right and so it is wise to prioritise making it easier to delete data where the person was a child at the time (e.g. restricting usage of this data anyway, like not adding to CRM or marketing pools).
Jim Roberts, director and founder, BlacklerRoberts
The ‘Right to Erasure’ is a subject that has caused lots of conversation and hand wringing. Do they actually mean deletion of all personal data? Well yes they do, but there are considerations when looking to implement this, which impact not only the data controller but the data subject as well.
The first thing to consider is have you have completed a data audit and do you understand where personal data is collected, stored and used within your organisation? Without this, your ability to erase personal data will be difficult at best and you will run the risk of leaving instances of the person behind.
So assuming this has been completed, the ‘Right to Erasure’ procedure should consider the following elements:
- Verify the identity of the individual making the request. A key part of several rights of individual is ensuring you authenticated the individual is who they say they are. Ensure you process considers how this will be achieved and the information required to proof identity.
- Explain the implications of full erasure. Erasing all personal details will mean they no longer exist in your data universe, so if they reappear legitimately through say a 3rd party data provider or via a subsequent purchase, they will then be treated as a new person. This impact should be identified and explained to the individual to ensure they want actual erasure or do they want to Restrict Processing or Object to Processing.
- Inform other recipients of erasure. As with rectification and restriction of processing, there is an obligation to inform recipients of the personal data, unless this proves impossible or involves disproportionate effort. Look at how this step will be achieved and what is practical.
- What to erase? All personal data of the person requesting the erasure. If we assume that the request is valid and the data subject has been explained all implications of full erasure, then yes the onus is to delete all instances of personal data. In practical terms this may prove trickier to achieve and although is absolutely the target, is best achieved through a risk based approach. So using the data audit you have completed look at where data maybe held and then the impact of not deleting data. Implement procedures to remove personal data from those areas with biggest impact and identify those areas where personal data maybe harder to find/remove and document your approach, for example internal Support Systems, with screen shots to explain a problem and solution, may contain personal data so could this obfuscated without losing the knowledge base type value.
Neil Davey was previously the editor of MyCustomer from 2007 until May 2023. An experienced business journalist and editor, Neil has worked on a variety of newspapers, magazines and websites over the past 20 years, including Internet Works, CXO magazine and Business Management.
Please login or register to join the discussion.
For an ecommerce website receiving a data erasure request, can the customer's data on an order record be retained?
Hi Nick, your query should be answered here:
In short, it appears that you can keep some details, in order to prove that a transaction/relationship existed. The example being that you may need to keep some customer details (i.e. their order details) in event that there could be a complaint that you need to deal with.
Further to this - as an ecommerce business as well we would need to keep details also for keeping financial records for 7 years. In this time we would not be contacting them, it's only held for accounting purposes as required by HMRC. Be good to have your thoughts on how to put this to a customer in a customer friendly way!
Here is a question with regards to the 'Right to Erasure'. Once you have deleted all of the subjects data are you required to retain a record of erasure for the subject or not?
Further to that do you have to give a detailed report back to the subject or is just confirmation acceptable. Obviously we will be keeping a record of the erasure (should they get that). Article 17 doesnt actually tell you how to communicate back to the subject.
It's a good question, Phil. I'll look into this for you to try and get some clarity on this. I *believe* that you only need to confirm that that their request for erasure has been complied with, rather than provide them with all the information you held on them, as you would need to do if you received a subject access request (https://ico.org.uk/for-organisations/guide-to-the-general-data-protectio...).
Interesting point. It would be good to hear more on this - if we do need to provide any 'proof' of what has been deleted.
Quote: "Here is a question with regards to the 'Right to Erasure'. Once you have deleted all of the subjects data are you required to retain a record of erasure for the subject or not?"
I think this is possibly the more important question. Do you know the answer?
Thanks for your query. My understanding here is that the organisation should be clear in its privacy terms/statement how it will use customer data, and as part of this it should confirm if it will retain a record of deletion (which may include an email address). Similarly, it should be stated if an unsubscribe from a newsletter is recorded and retained.
But even these records of deletion should probably be deleted after a certain amount of time.
I will try to look into this further and should I find anything more to this, I'll post here.
Any firther info on this?
Hi Michael, I've found nothing more on this to date. I will update here if I find/hear anything that contradicts my original response, though. Thanks Michael.
Some of our private customers, those who install our free app, do not register with their names and personal details, but only with cell phone number. Is such a customer considered an anonymous? In case of a deletion request - does the phone number need to be deleted?
What about activity logs and CDRs where the phone number appears?
As for our paying customers - we have their personal details on receipts, do we need to "anonymize" those details from receipts in case of such a request?
Firstly, the article was great and informative. I have a questions in regards to Right to restrict processing. Can I still process the pseudonymous data even after restricting it to honor the right to restriction of data subject? Does the pseudonymous data still fall under the scope of data subject rights?
The ICO's recommendations on this can be found here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protectio...
There's no mention of pseudonymous data there, however.
My understanding is that personal data that has been pseudonymised can fall within the scope of the GDPR
depending on whether the party holding it has access to the key, plus how difficult it is to attribute the
pseudonym to a particular individual.
The ICO's official line on pseudonymised data can be found here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protectio...
Pizza Hut Rewards was hacked and I did not trust them any longer with my data. I asked them to delete my data. They replied and said they want my passport of driving licence to confirm my identity. Surely a simple request from my email with a logged ip address should be sufficient. Its only to get free garlic bread with every third pizza!!!
So in essence if you dont trust a company with your data you need to supply more data, and trust they actually have deleted it? So GDPR is worthless.
As providers of mobile apps and communication services, we need to keep some app usage records in order to present them in case of a legal or criminal claim. We keep those usage records for 7 years (as requires a legal system in our country), and they include data subject phone number. How do such requirements fit with the GDPR?
The US comes to grips with what some are calling the American GDPR-like regulations from the state of California. With this comes the realization of how important customer communications are in Data Access and Data Deletion requests. Has anyone, including the ICO, provided best practice for explaining the scope of Data Deletion Requests and that customer data will still persist and be reported on subsequent Data Access Requests if that data falls into one of the exceptions, e.g. Legitimate Interest and Legal Obligation?
Some of the records we keep holding customers personal data are app usage records with the clients' phone number, and financial records with deal details - is it acceptable to keep those records in spite of erasure request if the law says to keep them for certain amount of time in case of a lawsuit or criminal claim?
Some companies would direct the data subject to Their in-app function to delete the user account, will this be suffice to satisfy the right to deletion under GDPR? Or the deletion has to be done by the company without further act of the data subject?