A holistic guide to GDPR’s “Right to be Forgotten” for CMOs

    A holistic guide to GDPR's

    The General Data Protection Regulation (GDPR) has a provision for users called the “right to be forgotten,” also called “the right to erasure.”

    Under this provision, the regulatory body gives individuals a right to request the organization to omit their data. However, it is not necessary for the organization to always do it.

    According to a recent study published by Surfshark evaluating the “right to be forgotten” requests, From 2015 to 2021, Google and Microsoft Bing received more than 1 million “right to be forgotten” requests from Western European countries. The report also highlights that the right to erasure cases increased by almost 30% in 2020. Almost a fourth of all requests submitted were from France.

    The rules enforced by GDPR govern how organizations collect, process, and delete personal data. After the 2014 judgment from the European Union’s Court of Justice, the right of erasure provisions were made in GDPR and received attention.

    In a hyper-connected world today, because of the internet, the right to be forgotten can be more complicated than requesting an enterprise to delete its data. In this article, let’s explore the best strategies to adhere to GDPR’s right to be forgotten.

    Also Read: How Marketers Can Be Protected Against the GDPR Fines?

    The Right to Be Forgotten

    Article 17 of the GDPR and Recitals 65 and 66 include the right to erasure.

    The right states, “The data subject has the right to erasure personal data concerning him or her from the controller without undue delay.” The right also highlights that “the data controller has an obligation to delete the personal data without undue delay.” If multiple conditions are applicable, GDPR considers an undue delay of about a month.

    Enterprises need to take the required steps to validate that the user requesting a right-to-be-forgotten claim is the data subject. Article 15 of GDPR details users’ right to access their data and how it can be erased.

    The whole idea of controlling someone’s data becomes pointless if they no longer have consent to process, when there are tremendous mistakes in data, or if the user feels the business unnecessarily has stored the information. In such cases, users can request the concerned organization to erase their data.

    The application of the right to be forgotten

    Article 17 of the GDPR highlights the specific instances under which the right to erasure applies. All data subjects have the right to erase their data under the following circumstances.

    • The enterprises do not need to store personal data as it was intended to do while collecting or processing.
    • The individual wishes to withdraw consent to gather, store, and process their data lawfully.
    • Organizations rely on legitimate interests or reasons to gather and process individuals’ data. If the individual has an objection to the data processing or has no matching interests, the user has the right to request to be forgotten.
    • If the individual has an objection to organizations using their data for direct marketing purposes, they can excise their right to erasure.
    • An enterprise must erase the user’s data if they have gathered it unlawfully.
    • Businesses must delete the user’s personally identifiable information (PII) to comply with legal rulings or obligations.
    • If the organization has gathered and processed a minor’s data to provide its information services will have to delete the PII.

    Also Read: Five Years of GDPR: A Five-pointer Checklist For Businesses to be GDPR Compliant

    Individuals under these mentioned circumstances can excise their right to erasure. However, the data controller’s right to process someone’s data might override the user’s right to be forgotten. Here are some examples mentioned in GDPR that override the right to erasure:

    • If the data controllers gather and process PII to exercise, the right of freedom of information and expression can override the individual’s right to be forgotten.
    • The right will also override when the data controller uses the data to comply with a legal ruling or obligation.
    • The individual’s right to erasure will not be valid if the data is utilized to execute a task that serves the public interest, like public health purposes.
    • If the individual’s data is a part of scientific research, historical research, or statistical purposes that serves the public interest will not be considered because it would most likely disrupt the progress to achieve the goal of processing data.
    • The enterprise can ask for a fee or reject the request to delete data if it can justify that the request raised was invalid or excessive.

    There are multiple variables to consider while managing the request to be forgotten, and enterprises have to evaluate each request individually. It is challenging for businesses to track all the data repositories, process data through them, and comply with the evolving GDPR’s privacy laws.

    The general data protection regulation plays a crucial role for businesses with a client base in the European Union. Organizations that do not comply with the rules and regulations enforced by GDPR will have to face legal litigations, hefty fines, and a negative brand image. Enterprises must ensure they have the best strategies implemented to adhere to all the laws and regulations enforced by the regulatory authorities. In the next article, let’s explore the best practices to comply with GDPR’s right to erasure.

    For more such updates follow us on Google News TalkCMO News.