When Catwoman battled Batman and the foes of Gotham City in the Dark Knight Rises,
all she wanted was her digital data to be erased so she could start again. Little did she
know that before long (and back in the real world), the EU would require companies to
allow its citizens to erase personal data processed and stored by businesses.
It all started in 2010 when a Spanish citizen noticed the auction of his repossessed
home was still visible online long after the event. He requested an online newspaper,
and Google Spain, remove or alter his information so it wouldn’t be shown in search
results. On May 13th 2014, the EU court ruled in his favor and the seed was planted for
what would become “the right to be forgotten.”
As a part of the GDPR businesses will have to find and delete any stored personal data
if requested by a EU citizen, and it’s this part that’ll change the way data is handled in
Europe and beyond. Knowing how and when this legislation applies is key to avoiding a
huge fine or scrambling for a process after a request has been placed; so to make it a
little easier, I’ve outlined the basics below.
The right to erasure isn’t quite as simple as it seems, but in a nutshell any EU citizen
will have a right to request personal data be erased when:
- the data is no longer relevant to the purpose for which it was collected
- the individual withdraws consent.
- there’s no more interest for continuing the processing.
- the personal data was processed unlawfully
- there’s a legal obligation to erase the data
There will be certain circumstances where a right to erasure won’t qualify, so it’s handy to know when you can refuse a request. Most of the time it depends on your data and the reasons behind it’s processing/storage, but generally you can refuse if:
- you can exercise the right of freedom of expression and information
- you comply with a legal obligation, the performance of a public interest task or the exercise of official authority
- your data is related to public health purposes in the public interest
- you’re archiving data in the public interest, for scientific research historical research or statistical purposes
- you exercise the defence of legal claims
An often overlooked element of the right to erasure is how it applies to children’s
personal data. When it comes to handling any data related to a minor, organizations
must be more vigilant on exactly how it’s being processed and stored. The GDPR
puts a lot of emphasis on how children’s data is processed and aims to seriously
enhance their online protection in the future.
When you’re processing the personal data of a child, you’ll need to pay particular
attention to how and where they consented for their data to be processed –
especially on social media platforms and online forums. It could be ruled that a child
may not have been fully aware of the risks of their data being processed, making
most steps toward obtaining consent difficult.
Another factor not to overlook will be the third parties your organization may have
disclosed data to. If any of your customer data is shared with a third party you’ll be
required to inform them about any request for erasure. The GDPR is very explicit on
this point and clearly clarifies that companies who make personal data public need to
set up a process to delete links, copies or anything related to the replicated data.
Setting up a process to control your data across multiple third party sites can seem
like a daunting challenge. It’s common practice for many organizations to use social
networks, forums and partner websites as part of their content strategy – and a clear
process to cover them all will be needed to comply fully.
Last but certainly not least, businesses will need to implement effective user interfaces
so their customers know exactly how their data will be used before they engage with
your business. It’s been stated that organizations should communicate with users “in a
concise, transparent, intelligible and easily accessible form, using clear and plain
The GDPR will also require you to provide “modalities” for users to exercise
their data rights. These modalities should become a cornerstone of your user interfaces
and customer support services. Displaying your attempts to fully comply with erasure
requests will work in your favor in the event of a GDPR investigation or lawsuit, so whilethis preparation may seem arduous – the protection it’ll provide will be priceless.
The GDPR is coming and there’s no turning back. But it doesn’t have to be all doom and
gloom. With well thought out application orchestration, it’s relatively easy to connect your systems and touch points into a single, controllable, centralized flow – all of which can be used and understood by anyone in your organization.
A likely (and useful) side-effect ofthe right to erasure is that it will force companies into building a single customer view -making them more data-smart over time and have a clearer, cross-channel picture of their customers and their behaviour.