<img height="1" width="1" src="https://www.facebook.com/tr?id=1046809342117480&amp;ev=PageView &amp;noscript=1">

VSEC Blog: IT Security Channel News brought to you by Infinigate UK

Share the Infinigate UK Blog on LinkedIn Share the Infinigate UK Blog on Twitter Share the Infinigate UK Blog on Facebook Share the Infinigate UK Blog on Google+ Share the Infinigate UK Blog via Email

Do you know what "The Right to Forget" in GDPR terms really means?

Posted: 03 January 2018

What does Right to Forget in GDPR terms really mean?

Wherever there exists a conversation about the GDPR (General Data Protection Regulation), you can guarantee a handful of infamous topics are covered. The scaremonger worthy administrative penalties, the notion of consent being the lawfulness to rule all others and the Lord Lucan of rights, the right to forgotten.

The most curious thing about the right to be forgotten is the poor understanding that most have of it, choosing a literal interpretation of the name whilst ironically forgetting that it is officially known as "the right to erasure". You may have been told that the right to be forgotten means that a data subject can request all personal data and reference to their existence removed; a fitting end to the plague that is the abuse of personal data and a blow to any unwanted communication, continent-wide.


There is no absolute "right" to be removed

Not quite, this blog post retorts for three reasons. One, because this blog post would end too early to justify writing; two, the right to erasure and the right to be forgotten, semantically have different outcomes; and three, because the right to erasure is not an absolute right. In fact, the right to erasure is one which can very rarely be requested in its own right. In a broad sense, this right only requires data controllers to remove personal data which they have no compelling reason to retain.

To understand this better we can refer to article 17 which gives us two conditions; conditions for when the right to erasure must be enacted and scenarios where the data controller is exempt from those conditions.


When to erase data

Data controllers are obliged to erase the following:

  • When data is no longer necessary for the purpose it has been collected. Put simply, if someone agrees to give you their email address for the purpose of an email based newsletter, once that newsletter ceases, this personal data must be removed.
  • When a data subject withdraws consent or objects to processing and there are no overriding reasons or other lawful basis for continuing to process their personal data.
  • When personal data has been processed unlawfully.
  • Where a legal obligation exists to enforce the removal of a data subject’s personal data.

As you may have noticed from the above, the right to erasure is more commonly than not a consequence of having no lawful basis for processing or continuing to process, as oppose to something which is directly requested.


Whose data right is it anyway?

Despite the opinions of many, the GDPR is not intended to be a paddle board used to beat data controllers and processors out of business. In the spirit of sensibleness, there are some cases where the data controller is not compelled to erase, such as:

  • Where processing is an act of freedom of expression.
  • Where processing is required to comply with a legal obligation - I was recently reminded of this clause regarding the retention of background checks when working with vulnerable members of society.
  • Where processing relates to public health interests.
  • Where processing is used for the purpose of archiving in the public interest - think censuses or land registries.
  • Where processing may be necessary for the exercise or defence of legal claims.


What about the data subjects?

For marketers, channel partners and vendors wishing to advertise their wares, the refusal clauses probably do not suit. However, take some comfort in the limited list of conditions where erasure is required. In essence, if you are complying with the rest of the regulation by ensuring lawfulness of processing, the right to erasure may never cross your processing path.

It is not an absolute right and any notion of mass deletion of personal data due to data subjects requesting to be forgotten is pure fabrication. Data subjects may, under ill advice or understanding still request erasure. However, this may not be the ultimate outcome because the GDPR is not about awarding one party over the other, it is about sensible control and data protection for the modern age.

Prepare for GDPR 11 step checklist

Chris Payne Senior Technical Consultant, Infinigate UK
Posted by: Chris Payne
Senior Technical Consultant, Infinigate UK

 

Share via:

    

Subscribe to VSEC Blog Updates

Terms and Conditions:
  • When completing this form, you are indicating your consent for this processing activity. By doing this you are providing Infinigate UK with lawful consent to process your submitted personal data for one or both of the marketing purposes below:
    • We will use your details to send you blog updates.
    • We will match your answers to areas of interest which believe you have and may send you additional marketing materials related to those areas.
  • We will keep your personal data for nine months, upon which we will delete your personal data unless you have consented to further processing or we have legitimate interests to retain it. You are free to withdraw your consent at any time by contacting our marketing department or using one of our unsubscribe links in our communications.
  • In some cases where you indicate consent for supplying you with additional promotional marketing material, we will share your personal data with one of our reseller partners, should your areas of interest match a solution or service they provide. We instruct all our reseller partners to communicate this data transfer with data subject affected.
  • Your personal data is stored in a marketing automation solution database, access to this is limited to authorised users and all necessary steps to ensure data security is maintained.

For further information about this form, your rights under the General Data Protection Regulation or how to exercise them, please contact Infinigate's marketing department here.

Popular Posts