GDPR and the Right to Be Forgotten: Best Practices and Procedures
They say that the internet never forgets, but data privacy regulations try to change that by promoting the right to be forgotten. The GDPR establishes this right in Article 17, which grants European internet users the option to request the erasure of personal data from organizations’ databases.
Disclaimer: the following guide is not to be used for any legal purposes and was not created by legal professionals.
But how can businesses implement this right and ensure that users will have their data deleted upon request? Studies show that this isn’t obvious, with 90% of companies stating that it is too difficult to delete customer data and 60% concerned that they lack the technical ability to do so. It’s worth noting that these stats are relatively new, even though the GDPR has been around for quite some time.
After discussing consumer access requests and DSAR responses in general, we’re taking another step in turning GDPR rights into actionable strategies. <hl>The following guide should help businesses form a structured plan for fulfilling removal requests, making the complex task more manageable.<hl>
Recognize the removal request
This step is challenging because the GDPR does not state how requests for erasure should be submitted and can be done both in writing or verbally, leaving the door open to all kinds of interactions with organization members. In other words, a customer could, in theory, approach a random employee and verbally ask for their data to be erased without even mentioning the GDPR specifically, and this could qualify as a formal request that should have been processed and handled by the company.
This alarming scenario requires extensive educational efforts across the organization and a deeper understanding of the law on all levels. Everyone in the organization should be able to identify and document data subject requests and forward them to the relevant stakeholders.
A few tips include the creation of a removal request repository, appointing an employee responsible for capturing requests, and preparing a draft response that can be altered when needed. Remember that the GDPR has a time frame of one month of handing these requests (which can be extended in some cases), and the process should be thorough but quick.
Verify the requestor’s identity and validate the request
Every right has its boundaries, and companies can save a lot of time and trouble if they review the request to ensure that it is relevant and applicable. First, the organization should be considered an entity working in the EU or that collects or processes personal data from residents of the EU. Once that is established, the law details which requests are relevant, addressing data that is no longer required. The law also has some exceptions to this right depending on the type of data type and interaction.
The same goes for consent, which can be withdrawn to justify such requests. This is a pretty broad term, validating most requests. Still, an explicit withdrawal of consent or objection for the processing of personal data should be at the center of the request. Article 17 also includes data that was collected illegally, which seems relatively intuitive.
Organizations should also ensure that the data subject is indeed the owner of said information. The authentication process should require minimal effort and details. Otherwise, it might violate the very right it set out to protect.
Locate and erase the data
To perform the data erasure procedure, businesses need to stay on top of their data management process at all times and not just when requests are made. This step includes informing all relevant teams of the task and verifying their active involvement. You don't win a prize for trying if the subject’s personal data remains in your possession for any reason. Check every server, hard drive, cloud storage platform, and backup.
Since data impacts organizations' work, it’s also important to assess how removing it might affect the company. If other elements lose context due to the subject’s removal, filling the gap is another step to consider. You should also notify any third parties relying on the data, letting them know it has been removed and ensuring that the information is deleted from their servers as well.
Finally, inform the subject that their data was successfully removed, explain any implications it might have on the service you offer, and invite them to re-enter their information in the future should they choose to do so.
Document the removal
For the sake of any data audit or actions taken by authorities or requestors, keep track of all data subject requests, including those related to the GDPR right to be forgotten process. Know when the request was captured, how it was processed, how it was communicated to employees and the requestor, and more. Verify that your documents paint an accurate picture, and provide any explanation regarding issues that might raise doubt. The internal log should be precise and updated.
Manage a more efficient process with Mine PrivacyOps
No one can delete the progress data privacy has made in recent years. Companies must be prepared to remove more information at speed and with accuracy. Mine PrivacyOps shortens the process by allowing companies to automate their privacy operations and manage data requests more efficiently. The privacy portal logs all requests and enables everyone involved can be on top of things at any given moment.
Advanced automation and seamless integrations ensure that no information or request gets lost, validates requests quickly and easily, and prevents devastating human error. Check it out now and learn more about how Mine PrivacyOps can help you create an effortless data erasure process.