GDPR will be implemented in 2018. The EU has created this policy to be up to date for the digital age and put individuals back in control of their personal data. One specific part of GDPR is the right to erasure, also known as the right to be forgotten. This means that individuals will be able to request the removal of their personal data regardless of the reason.
Where does this apply?
The implementation of GDPR and the right to erasure will give people a lot more power and rights over their data, however, this doesn’t actually mean an absolute right to be forgotten. Individuals will have the right only in certain circumstances.
Specific circumstances include:
- When the individual withdraws consent.
- When the individual objects to the processing and there is no overruling legitimate interest for continuing the processing.
- If personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
- The personal data was in breach of GDPR and unlawful.
- The personal data is required to be erased in order to comply with a legal obligation.
- The personal data is processed in relation to the offer of information society services to a child.
Currently, under the DPA, an individual’s right to erasure is limited to processing that causes unwarranted and substantial damage and distress. However, under GDPR this threshold is not stated. Nevertheless, there will still be requests for rights to erasure which organisations can refuse to comply with.
For example, purposes such as, complying with legal obligations, public health purposes and to exercise the right of freedom of expression and information. A case by case assessment will be needed to consider the type of information, the sensitivity of the individual’s private life and public interest in having access to the information.
Children will also be affected by the GDPR law as there will be extra requirements due to the enhanced focus on protection of personal data online. If data is processed on children, when consent had been given previously, and the children request the right to erasure at a later date, then this requires special attention, because children may not have been aware of the risks when initially consenting.
Overall, organisations must accept that personal data rights will be changed to give more rights back to the individuals as opposed to the data controllers. The right to erasure will mean that organisations will need to create a simple process for individuals requesting a right to erasure.
To know more, check out the GDPR Conference Europe – a one-day event that will focus on the likely impact GDPR will have on business critical processes and provide a framework to keep your organisation GDPR compliant. GDPR Summit Series will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond. Further information and conference details are available at www.gdprsummit.london.