It’s not easy to be forgotten

 

‘The right to erasure (also known as ‘the right to be forgotten’), is an expression that has become somewhat familiar since the GDPR came into effect last year. In short, it means that you have the right to have your personal data deleted. Last year, the concept hit the press quite spectacularly when an English court ruled against Google in the case of an individual seeking to have certain personal information about him removed from Google search results.

 

 

When experts talk about the rights and responsibilities around personal data, they sometime fail to fully explain the terms they use. ‘Data subject’, is a good example. It simply means ‘an individual’ or a natural person who can be identified or identifiable – you, me, our family, etc. You may also hear about a ‘Data Controller’ – this is the organisation who decides how to use your data.

 

Another frequently overlooked term is ‘Personal Data’, which sounds obvious, but it’s important to be aware of the breadth of what this can cover. Names, email addresses and bank details are obvious examples of personal data. However, loyalty cards, payroll, medical records, your fingerprint, health conditions, GPS location, IP addresses, cookies and radio frequency tags: can all be personal data when used to identify you. If you’re unhappy with who is storing this information and wish to have your personal details removed from their records, the GDPR sets out a clear way to approach this. But before you start drafting an email, it’s really important to understand whether you actually want to be erased in the first place.

 

When it comes to the way your information is processed, shared and stored, you have a whole suite of rights to protect you.

 

 

If you want to know how and why a company is using your personal data, you can request to see what data an organisation holds about you and they must comply with that request. This is called a ‘subject access request’ and you can make your request in more or less any way – fax, email, letter, or even a phone call. From this point, a copy of your personal data must be provided within 30 days.

 

 

If your information is wrong, out of date or incomplete, the organisation holding it must make the appropriate changes. Again, to do this you must submit a request by fax, email, letter, or even a phone call, as you would for a subject access request.

 

The right to be forgotten is not an absolute right. There are quite a few scenarios in which organisations will refuse to remove your data from their systems because they have a very good reason that makes it impossible for them to do so. These scenarios are: 

 

 

There are plenty of well-documented circumstances where the answer is yes. Victims of crime, for example, might legitimately and understandably want to have newspaper reports/records removed from search engines. Outside of the media, you might have received terrible customer service from a business and want to cut all ties with them but do consider what this means for any purchase you may have made in the past. It might be better to just unsubscribe.

 

 

Finally, we must look from the perspective of the Data Controller. The stakes are high – fines for non-compliance with the GDPR are already being issued and the amounts are in millions. Organisations need to know exactly where your data resides in order to comply with legitimate requests for erasure. Can you imagine what a gargantuan task it must be to make sure that the information on customers, employees, suppliers, partners and more are all being looked after in the most secure and appropriate way? Whilst also being easily accessible and compliant for all manner of other legislation? This applies to the millions of contracts, documents or invoices that pass through EU businesses every day. So, while the vast majority of businesses have spent several years and huge investment bringing their systems into line, it’s everyone’s responsibility to understand why.