What is the GDPR’s “right to be forgotten”?
“The right to be forgotten” is a big concept, especially in an online environment that’s all about making lasting impressions. Even though it seems to run counter to the nature of the internet, that right is a fundamental data subject right as part of the European Union’s General Data Protection Regulation and is a huge consideration for any website that collects personal data from its users.
What is the right to be forgotten?
Article 17 of the GDPR declares that “the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay.” Essentially, that means that any users under the jurisdiction of the GDPR can make a website delete any personal information about them on request.
There are a few stipulations to Article 17, also referred to as “the right of erasure.” Personal data must be deleted if:
- The data is no longer necessary to fulfill its intended purpose
- The data subject withdraws consent
- The data subject raises a legitimate objection about how the data was processed
- The data is determined to have been collected or processed illegally The laws of an EU Member State require the data to be erased
- The data is subject to GDPR Article 8’s rules about personal data of children
Any website that violates the right to be forgotten risks substantial fines and penalties under GDPR guidelines, so it pays for organizations to know the ins and outs.
Why is this needed?
All of this is being done in the interest of protecting consumers and keeping online organizations from wielding too much power over the public. A 2014 BBC story, for instance, detailed the case of a man in Spain who auctioned off a property during a personal financial crisis. Years later, with his finances in much better shape, details of the auction still showed up prominently when he searched for his name on Google. The European Union agreed with his claim that this material was no longer relevant and was potentially damaging to his reputation. This case and others like it set in motion what would eventually become the GDPR’s right to be forgotten. Since that ruling, Google alone has received requests to remove nearly 2.5 million URLs from its search results.
What exactly is personal data?
The simplest definition of personally identifiable information is “anything that could reveal any facet of a person’s identity.” Generally speaking, that includes, but is not limited to names, email addresses, photos and videos, physical or mailing addresses, IP addresses, and phone numbers—basically all of the information collected by any website that conducts transactions or requires members to sign in. (Remember to have a closer look at your cookie policy, even though the GDPR does not explicitly outline rules for that.)
This probably looks like a gigantic task for site owners. There’s no question that it is a challenge for plenty of companies, but taking an organized, educated approach to data processing can go a long way toward bringing your site into GDPR compliance.
What data needs to be forgotten?
Before you can ensure your users’ right to be forgotten, it’s important to understand the data you’re forgetting. That entails clarifying and defining roles within your web team, including any third-party vendors you work with.
For instance, the GDPR makes a distinction between the data controller and the processor. The collector is the organization that collects consumer data and decides how to use it, while the processor is anyone who processes data on behalf of the controller. Generally speaking, the data controller is assumed to be responsible for the actions of the processor.
In the case of a company using non-GDPR-compliant software to organize internal email lists, for example, both the controller and the processor run the risk of being fined.
The surest way to make sure your site respects your users’ right to be forgotten is to know exactly what data you’re storing and how you will delete it upon request or after it’s no longer needed. Any organization that collects consumer information should plan on performing regular data audits, including creating a registry of all personally identifiable information collected and processed in the EU and the planned lifecycle of that data.
Quick Tips for Preparing for the Right to be Forgotten
Work with your organization’s data protection officer, security department, or personnel responsible for GDPR compliance on the following:
- Map data flows and lifecycles of all personal data that enters your organization (i.e. marketing leads, job applicants, employee bank account numbers)
- Create a plan for each department when the data is no longer useful or someone “requests to be forgotten”
- Keep a personal data inventory so you can quickly identify where certain data is stored
- Perform regular data audits
By being aware of exactly what data you’re collecting, where it’s being stored, how it’s being processed, and what protocol is being used for its deletion, your site can go a long way toward avoiding financial penalties and public relations setbacks.