Managing the right to erasure
Ten tips to tackle erasure requests
What data should you erase? When can you refuse? And, on a technical level, how do you make sure everything is actually deleted, especially if held on multiple systems?
Fulfilling people’s privacy rights aren’t easy, and GDPR’s Right to Erasure can raise complex challenges. Add to this the tight timeframe to action requests, or bulk requests from third parties, and it can turn into a bit of a minefield.
We’ve got some tips to help navigate around the quicksand. But first, a little refresher on what the Right of Erasure means.
What is the Right to Erasure?
As the name suggests, a person has the right to request their personal data is erased from your systems if you’ve no longer have a compelling reason to keep it.
You may hear it referred to as the ‘Right to be Forgotten’. This stems from a decision in 2014 by the Court of Justice of the EU which recognised the right of EU citizens to request the removal of links to personal information on search engines.
GDPR took this ruling a step further and enshrined a broader right into EU law, taking it beyond the context of publicly available personal information. Under the post-Brexit spin-off, UK GDPR the right remains the same.
People have the right to submit an erasure request to any organisation operating within the UK/EU or organisations in other territories which handle the data of UK/EU citizens. It’s not an absolute right, and there are circumstances in which it can be denied.
When does the right to erasure apply?
You need to fulfil a person’s request for erasure in the following circumstances;
- It’s no longer necessary for the organisation to hold onto the personal data of an individual for the purposes it was collected
- They gave you their consent and now wish to withdraw this consent
- You’re relying on legitimate interests as your lawful basis to handle their data, they object to this, and you have no compelling and overriding legitimate interest to continue
- They gave you their details for direct marketing purposes and no longer want to receive communications. (You are permitted to keep a minimised record on a suppression file).
- You’re fulfilling a legal ruling or legal obligation to erase the data
- You’re processing a child’s data to provide information services (i.e. online services)
- You’re handing their data unlawfully
The last point, a general ‘catch-all’, is a tricky one to balance, as there may be many reasons why personal data could be processed unlawfully.
For example, the handling of personal data might be considered unlawful if it’s inaccurate, or if necessary information about your processing has not been provided in a privacy notice.
When can you refuse an erasure request?
The right to erasure doesn’t apply when you’re holding personal data for the following reasons:
- to exercise the right of freedom of expression and information
- to comply with a legal obligation
- for the establishment or defence of legal claims
- to perform a task carried out in the public interest or when exercising and organisation’s official authority
- for public interest in the area of public health
- for archiving purposes in the public interest, scientific or historical research or statistical purposes (where erasure would make this impossible or seriously impair your objectives)
Under UK GDPR there are two specific circumstances where the right to erasure doesn’t apply to special category data. Further information about these exemptions can be found in the ICO erasure guidance.
It’s also important to consider whether you have a contract in place with the individual, which requires the processing of their data, and the impact on this of the erasure request.
There may also be grounds for a refusing a request where you can justify it’s manifestly unfounded or excessive. See the ICO’s guidance on exemptions.
If you refuse to comply with a request, you must explain why and tell the individual they have the right to raise a complaint with the ICO (or other relevant supervisory authority).
There are many variables at play; each request needs to be assessed on a case-by-case basis. This is where the devil really is in the detail.
10 tips for handling erasure requests
1. Awareness
Someone can request their data is erased, either in writing or verbally. They might make this request to anyone in your organisation. So, everyone needs to know how to recognise this type of request, what to do if they receive one, who to direct it to and so on.
Awareness campaigns, training and easy-to-understand policies all play their part in getting key messages across to all staff.
2. Identity verification
You clearly don’t want to delete someone’s details unless you are absolutely sure they are who they say they are. Sometimes this will be obvious, but in other circumstances you’ll need to ask for verification of identity. However, if the deletion would have no negative impact on the individual, for example they are only on your marketing lists, you may feel asking for proof of identification is unnecessary.
When asking for proof of id only ask for the minimum amount of information necessary to confirm identity. Don’t accumulate more information such as copies of passports or driving licences, unless it’s justified, and remember to delete these too!
If a request is received via another organisation, make sure this third party definitely has the authority to act on behalf of the individual in question. The responsibility lies with the third party to provide any necessary evidence to prove this. Bear this in mind if you’re the third party!
3. Technical measures
Your customers might think deleting their data is as simple as clicking a button. If only it were that easy!
It can be difficult to locate, identify, assess and properly delete data – especially if it’s held on many different systems. You might hold records on emails, backed-up systems, on the cloud… all must be deleted.
Make sure your systems, applications and databases allow the easy identification and deletion of individuals. You may also need to assess the implications of deletion; it can impact on how different software works.
This is where the concept of Data Protection by Design really supports businesses. If from the outset of any new project or initiative you make sure you factor in managing individual data rights, it will make life much easier in the long run.
It’s worth reiterating – the right to erasure extends to deleting data from backups. However, the ICO recognises the inherent difficulties here and says, “the key issue is to put the backup data ‘beyond use’, even if it cannot be immediately overwritten.”
4. Timeline
You don’t have long to comply with requests, so keeping track of time is crucial. The request must be actioned without ‘undue delay,’ and in any case within one calendar month of receiving it.
You may be able to extend this by up to two months if it’s particularly complex. If you need to extend, make sure you tell the individual before the first month is up, giving them clear reasons for the delay – reasons you must be ready to explain to the regulator if necessary.
5. Who else holds their data?
The right to erasure doesn’t just apply to the records your organisation holds. You’re also expected to tell other organisations to whom you’ve disclosed the personal data.
Having a clear understanding of all your suppliers, any other organisations you share personal data with, means you can efficiently contact them and inform them of erasure requests.
You don’t have to do this if it would prove impossible or involves disproportionate effort. (But again, you must be able to justify this is the case).
6. Public domain data
The Right to Erasure also applies to personal data which has been made public in an online environment (‘The Right to be Forgotten’).
You need to be ready to take reasonable steps to inform other organisations who are handling the personal data; asking them to erase links to, copies of, or replication of the data.
What’s ‘reasonable’ will depend on available technology and the cost of implementation. This expectation scales with size; the bigger your organisation and the more resources you have, the more you’ll be expected to do.
7. Children’s specific rights
Children have special protection under data protection law, and the right to erasure is particularly relevant when a child has given their consent (or their parent/guardian) and at a later stage (even when they’re an adult) want their personal information removed, especially if it’s available on the internet. Baking in the ability to delete children’s information from the start is crucial.
8. Exemptions
It’s helpful to have a clear checklist of the exemptions that might apply. They don’t all apply in the same way, so be sure to examine each exemption on a case-by-case basis. The ICO exemptions guide is a good starting point.
9. Maintain a log
How do we delete someone, but also prove we have done it? Feels ambiguous doesn’t it?
You’re allowed to keep a log of erasure requests, actions taken and justifications for these. You need to do this to demonstrate compliance.
However, be sure to make sure this is kept securely and only keep the minimum amount of information necessary. I know some organisations who’ve taken the step of making sure this log is pseudonymised for extra protection.
10. Minimisation and retention
The right to erasure (and indeed other privacy rights, such as DSARs) can be less complex if we try to stick to two of the core data protection principles; data minimisation and data retention (storage limitation).
By collecting less data in the first place, using it in limited ways and only keeping it for as long as we need it, means there’s less data to trawl through when we get a request to delete it.
Sounds simple, less easy in practice, but worth the effort. Data retention guide