GDPR, the right to be forgotten and dealing with data deletion requests

When you think of GDPR, you may well think about managing the collection and storage of data so that all the data you collect is necessary, appropriate and proportionate and collected in a legal and consensual manner.

That’s all very important, but there’s one last step to remember: data erasure, often known as the “right to be forgotten”. Managing this last step is also a vital part of your GDPR compliance strategy and requires answers to the following three questions.

1. Who has had access to the data?

As we transition from a pre-GDPR world to a post-GDPR world, a pressing issue will be to ensure that you have a full and clear record of anyone (person or department) who has ever had access to data so you can build a full and clear picture of where it has actually been stored (rather than just deleting it from where you know it has been stored).

This is a good opportunity to look for people and departments who have been building up their own little stores of data, for example, on personal or shared spreadsheets and bring it into compliance.

NB: you are responsible for any data you hand over to third parties, hence if you are using third-party processors you need to have the same conversation with them.

2. Where has the data been stored?

Similar comments apply here. You may think you know where all your data has been stored – and hopefully you’re right – but it never hurts to check.

As per the previous comments you also need to check that any third-party processors you use are on top of this process.

3. How are data erasure requests to be effectively processed?

This is perhaps the most important factor to consider. If you get a data-erasure request you need to erase all copies of all relevant data, rather than just the ones you know about, and this is where the answers to questions one and two come in.

Therefore, you need a process to ensure that this is done completely and correctly. The more data stores you have and the more people who have access to them, the more complex this process will be, which is another strong argument for streamlining your data-management system and ensuring that access to sensitive data is restricted to those who really need it (and is managed by those who know what they’re doing).

A point to ponder

If you’re thinking that the right to be forgotten is the bit of GDPR you can basically largely forget since very few people are likely to use it, then think again.

A study commissioned by security firm Clearswift suggests that you are quite likely to receive data deletion requests from your own employees, including those at board level. The study suggests that about three quarters of employees and a similar number of board-level executives would be extremely or very likely to request this service.