The “Right to be Forgotten” (RTBF) may be a much talked about feature of the EU General Data Protection Regulation (GDPR), but it actually existed long before this regulation came into being. Essentially, the RTBF acts as a set of rights given to the consumer regarding how their personal data is being help by an organization (“controller”). Consumers can ask controllers for their data to be removed and the controller will have to oblige.
The consumer’s right to privacy is not a new concept, but the GDPR and other compliance regulations like it have expanded upon what is considered to be personal data. For example, search engines will even have to delete any references to personal data that appear on search results if requested.
The Right to be Forgotten isn’t just an EU concept either. All around the world, regulatory bodies are beginning to implement stricter compliance regulations for consumer privacy. In the USA, the California Consumer Privacy Act will become effective as of January 2020 and will require organizations to have strict processes in place when it comes to erasing personal data when requested.
Various compliance requirements refer to the Right to be Forgotten as the Right to Erasure or the Right to Delete (and I am sure there are other names for it out there). For the purposes of this blog, we are going to group them together under the label, the Right to be Forgotten.
Does the Right to be Forgotten Apply to Me?
If you are a consumer worried about what specific data a company has stored or you want your data removed (and you are in a part of the world where RTBF laws apply) you can submit a Data Subject Access Request (DSAR). However, that doesn’t necessarily mean that the company in question has to give you what you ask for. There are some circumstances where a DSAR may not be applicable and the company in question has the right to retain the data. We will go through those examples shortly.
How to Request the Right to be Forgotten
You will firstly need to directly contact the data controller that is holding the data that you want to view or remove. Some companies will have specific request forms for this. If not, you can use a DSAR template, many of which can be found online. Once the DSAR has been made, the data controller is legally obligated to look into your request.
If you want your request to be successful, then make sure there are some legal precedents behind your DSAR. Some reasons for wanting data removed could include:
- The data is incorrect.
- The data isn’t in the public domain and the controller in question therefore has no right to access it.
- The data was stolen in a data breach or changed internally (perhaps due to an insider threat).
- A judicial body has ruled that the data needs to be deleted.
The Exceptions to the Right to be Forgotten
There are several exceptions to the RTBF that could mean your DSAR is unsuccessful. The exceptions are mainly related to the freedom of information and public interest. Some of these exceptions include:
- The data is fine to store under the freedom of information act.
- There is a legal precedent for retaining the data (such as an ongoing legal proceeding).
- The data is important for public health.
- The data holds significant interest for the public in terms of scientific or historical research.
How to Answer a Data Subject Access Request
Answering a Data Subject Access Request for the Right to be Forgotten can be tricky for some organizations. The reason being that you will have to have a real grasp on where data is located within your systems, what the data is and be able to do it all quickly.
In short, companies that receive a DSAR will have to scan their IT environment and discover and classify personally identifiable information (PII). This is information that identifies an individual, such as National Insurance numbers, addresses, contact information, names, dates of birth and much more.
Once you have discovered and classified all PII you will need to create a list of all the data that matches the DSAR and act according to the DSAR if there is no exception found. You will also have to keep an audit trail and a record of the DSAR for future auditing.
LepideAuditor enables you to discover, tag and classify your sensitive data (including PII) so that you will be able to instantly see what sensitive data you have collected about a particular data subject. This will help you to process a DSAR in the right way and avoid potentially nasty non-compliance fines.