GDPR and the Right to be Forgotten – UK Online Privacy
Much has been made of the incoming GDPR legislation, which covers everything from reporting data breaches to obtaining consent for marketing emails. One component that is of particular interest from the new regulation - is the new ‘right to erasure’, this is often previously known as ‘the right to be forgotten’. There is some confusion over what this means in practice, and where the two terms differ. As a result, we’re going to briefly cover what the ‘right to be forgotten’ means historically, and what the specific ‘right to erasure’ means under GDPR.
History of the Right to Be Forgotten
The right to be forgotten is in fact a fairly loose term, and does not have a firm and singular basis in law. It is centred around the idea that modern individuals should be able to go about their lives in future without the potential stigma that might come attached with things that they did in the past. In general, this has come about as a result of the rise of social media, and the prevalence of personal information being widely published online. Proponents of the right to be forgotten will often use the example of someone not wanting to have their adult life affected by something they posted on social media as a child.
There are some criticisms of the right to be forgotten, particularly in regards to freedom of speech. More information around this is readily available on the internet.
In practice, the right to be forgotten is still mostly a concept in many places, though the EU has begun to incorporate the idea of it into some of their regulations. The biggest example of this is that EU citizens can submit a request to Google that the search engine removes certain results when searching the individual’s name. The web pages in question are not removed - they simply do not appear in search results. The request is put through to Google’s deciding board, which consists of Google executives, lawyers and even government officials.
Rather than a right to be forgotten, the EU is introducing a very similar but slightly more limited ‘right to erasure’ as part of GDPR compliance. In short, this right means that any EU citizen will be able to request that data held about them is erased if they have a good reason to do so. In practice, this reason could be highly varied, but some of the justifications include the following:
- The information processor originally had to gain the individual’s consent for data processing, and the individual chooses to withdraw it
- There is no longer a reason for the data to be processed in relation to the reason originally given for its collection
- The data was collected or processed unlawfully
- The individual does not want the information to be processed, and there is no justifiable reason for continuing to do so
- Another legal obligation requires the data to be erased
There are of course reasons that an information processor might wish to reject a right to erasure request, and they could include the following:
- That the information stored is required for a legal claim or defence
- The information is in the public interest
- The information is required to comply with a different legal obligation
- The information has particular historical significance and should be archived
- The information is being used under freedom of expression
This could of course have very wide implications, with the potential for a very significant amount of data to be erased. It is likely that there will be numerous court cases in the years following GDPR implementation between individuals and data processors. These will likely clarify further areas in which data can and cannot be easily erased. In addition, GDPR fines can run into the many thousands for businesses that do not adhere to requests as they should.
In practice, it is most likely that individuals will request erasure of information that pertains to them as a child, or where the information is being used for unwanted marketing purposes.
How to Prepare
There is no way to tell how many individuals are likely to request erasure of their held data when GDPR comes into force, which is why it is imperative that businesses fully understand their obligations and legal standing. You should make yourself aware of all the data you currently hold, the justification for doing so, and how you will deal with any requests that come in. There are things to be aware of that you might not have thought about - such as notifying other businesses of the request if you’ve passed on an individual’s data to them. GDPR training may be essential for this. The Virtual College course ‘An Introduction to GDPR’ gives a free overview of what GDPR means for small businesses, and may be helpful in preparing you for any changes.