Effectively handling the Right to Erasure
What data should you erase? When can you refuse? And, on a technical level, how do you ensure everything is deleted?
Fulfilling people’s privacy rights aren’t easy, and the Right to Erasure raises complex challenges. Add to this the tight timeframe to action requests, or bulk requests from third parties, and it can turn into a bit of a minefield.
Don’t worry too much, though – we’ve got some tips to help navigate around the quicksand. But first, a little refresher on what the Right of Erasure means.
What is the Right to Erasure?
As the name suggests, a person has the right to request their personal data is erased from your systems if you’ve no longer have a compelling reason to keep it.
You may hear it referred to as the ‘Right to be Forgotten’. This stems from a decision in 2014 by the Court of Justice of the EU which recognised the right of EU citizens to request the removal of links to personal information on search engines.
GDPR took this ruling a step further and enshrined a broader right into EU law, taking it beyond the context of publicly available personal information.
It’s not an absolute right, and there are circumstances in which it can be denied.
By the way, post-Brexit and under UK GDPR, the right remains unchanged. (See UK data protection law post-Brexit)
When does the right to erasure apply?
You need to fulfil a person’s request for erasure in the following circumstances;
- Their personal data is no longer necessary for the purposes you originally collected it for
- They gave you their consent and now wish to withdraw this consent
- You’re relying on your legitimate interests to handle their data, they object to this, and you have no overriding legitimate interest to continue to keep it
- They gave you their details for direct marketing purposes and now want you to erase them
- You’re fulfilling a legal ruling or legal obligation to erase the data
- You’re processing a child’s data to provide information services (i.e. online services)
- You’re handing their data unlawfully
The last point, a general ‘catch-all’, is a tricky one to balance, as there may be many reasons why personal data could be processed unlawfully.
For example, the handling of personal data might be considered unlawful if it’s inaccurate, or if necessary information has not been provided in a privacy notice.
When can you refuse an erasure request?
Under both EU & UK GDPR, the right doesn’t apply when you’re handling personal data for the following reasons:
- to exercise the right of freedom of expression and information
- to comply with a legal obligation
- for the establishment or defence of legal claims
- to perform a task carried out in the public interest or when exercising and organisation’s official authority
- for public interest in the area of public health
- for archiving purposes in the public interest, scientific or historical research or statistical purposes (where erasure would make this impossible or seriously impair your objectives)
There may also be grounds for a refusing a request where you can justify it’s manifestly unfounded or excessive.
The UK’s Data Protection Act 2018 provides a full list of exemptions.
If you refuse to comply with a request you must tell the person promptly, explaining why and telling them they’ve the right to raise a complaint with the ICO (or other supervisory authority).
There are many variables at play; each request needs to be assessed on a case-by-case basis. This is where the devil really is in the detail.
10 tips for handling the Right to Erasure
Someone can request their data is erased, either in writing or verbally. They might make this request to anyone in your business or organisation. So, everyone needs to know how to recognise this request, what to do if they receive one, how to log it, who to direct it to and so on.
Awareness campaigns, training, easy-to-understand policies and straightforward procedures all play their part in getting key messages across to all staff.
2. Identity verification
You clearly don’t want to delete someone’s details unless you are absolutely sure they are who they say they are. Sometimes this will be obvious, but in other circumstances you’ll need to ask for verification.
Be careful to only ask for the minimum amount of information necessary to confirm identity. Don’t accumulate more information such as copies of passports or driving licences, unless it’s justified.
If a request is received via another organisation, make sure this third party definitely has the authority to act on behalf of the individual in question. The responsibility lies with the third party to provide any necessary evidence to prove this – bear this in mind if you’re the third party!
3. Technical measures
Your customers might think deleting their data is as simple as clicking a button. If only it were that easy!
It can be difficult to locate, identify, assess and properly delete data – especially if it’s held on different systems, media or other platforms. You might hold records on emails, backed-up systems, on the cloud… all must be deleted.
You need to make sure your systems, applications and databases allow the easy identification and deletion of individuals. You may also need to assess the implications of deletion; it can impact on how different software works.
This is where the concept of Data Protection by Design really supports businesses. If from the outset of any new project or initiative you make sure you factor in managing individual data rights, it will make life much easier in the long run.
It’s worth reiterating – the right to erasure extends to deleting data from backups. The Information Commissioner’s Office recognises this and says, “the key issue is to put the backup data ‘beyond use’, even if it cannot be immediately overwritten.”
You don’t have long to comply with requests, so keeping track of time is crucial. The request must be actioned without ‘undue delay,’ and in any case within one calendar month of receiving it.
You may be able to extend this by up to two months if it’s particularly complex. If you need to extend, make sure you tell the individual before the first month is up, giving them clear reasons for the delay – reasons you must be ready to explain to the regulator if necessary.
5. Who else holds their data?
The right to erasure doesn’t just apply to the records your organisation holds. You’re also expected to tell other organisations to whom you’ve disclosed the personal data.
Having a clear understanding of all your suppliers, any other organisations you share personal data with, means you can efficiently contact them and inform them of erasure requests.
You don’t have to do this if it would prove impossible or involves disproportionate effort. (But again, you must be able to justify this was the case).
6. Public domain data
The Right to Erasure also applies to personal data that’s been made public in an online environment (‘The Right to be Forgotten’).
You need to be ready to take reasonable steps to inform other organisations who are handling the personal data; asking them to erase links to, copies of, or replication of the data.
What is reasonable will depend on available technology and the cost of implementation. This expectation scales with size; the bigger your organisation and the more resources you have, the more you’ll be expected to do.
7. Children’s specific rights
Children have special protection under data protection law, and the right to erasure is particularly relevant when a child has given their consent and later wants their personal information removed, especially if it’s available on the internet.
Someone can exercise this right, even if they are no longer a child. Baking in the ability to delete children’s information from the start is crucial.
It’s helpful to have a clear checklist of the exemptions that might apply. They don’t all apply in the same way, so be sure to examine each exemption on a case-by-case basis.
The ICO’s exemptions guide is a good starting point.
If you believe the request is manifestly unfounded or excessive, the duty is on you to make sure you’ve a strong justification for this.
9. Maintain a log
How do we delete someone, but also prove we have? Feels ambiguous doesn’t it?
You’re allowed to keep a log of erasure requests, actions taken and justifications for these. You need to do this to demonstrate compliance.
Be sure to make sure this is kept securely and only keep the minimum amount of information necessary. I know some organisations who’ve taken the step of making sure this log is pseudonymised for extra protection.
10. Minimisation and retention
The right to erasure (and indeed other privacy rights, such as DSARs) can be less complex if we try to stick to two of the core data protection principles; data minimisation and storage limitation.
By collecting less data in the first place and only keeping it for as long as we need it, means there’s less data to trawl through when we get a request to delete it.
Sounds simple, less easy in practice, but worth the effort.
Just finally, no matter how belligerent someone’s being, try to remain upfront and honest with them.
Yes, this was a blatant excuse for me to shoehorn a 80s pop gag into the article in the form of an Erasure reference – just show complainers ‘A little Respect’. Oh, and you can’t only be compliant with requests Sometimes!
Philippa Donn, March 2021
Data protection team over-stretched? Find out how we can help with our flexible no-nonsense Privacy Manager Service.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.