When the General Data Protection Regulation (GDPR) comes into force, in May 2018, its protections will apply to any individual who is living in the EU at the time. This means that any business that handles personal data relating to citizens or residents of EU member states must comply with GDPR.
One of the important factors covered by GDPR is the right to be forgotten. This right applies to situations where there is no reasonable reason to continue processing information relating to an individual.
When Might the Right to be Forgotten Apply?
There is more strength to requests for data to be erased when damage or distress is being caused by the holding of the information, but this does not have to be the case. It is always a good idea for a business to erase data that is no longer required for any legitimate reason. In most cases, businesses should also erase information when an individual asks them to do so. We will look at the exceptions to this later.
If an individual objects to the way that personal data has been processed, this can also necessitate the data being erased, as can the initial unlawful processing of data.
It is important to note that all data needs to be erased completely, including all back-ups of data.
When Does Business Not Have to Comply with the Right to be Forgotten?
There are occasions when businesses do not have to recognize the right to be forgotten, even when a request is made. This happens when freedom of information is involved, or when the processing of the data is in the public interest. Refusal to comply with requests for data to be deleted can also be legitimate when a legal case is being defended, or when public health is affected.
Businesses can make it easier for themselves, when it comes to complying with this aspect of GDPR by automatically deleting data that they no longer have a legitimate reason for processing.