Even before the General Data Protection Regulation (GDPR) comes into force, in May 2018, major companies have felt the impact of individuals requesting to be forgotten. This happens when an individual asks for personal data being held to be deleted. This was to be expected due to the amount of personal data that is gathered as a result of online interactions, such as using social media or making a purchase from an online store.
The Google Example
It is only recently that Google has revealed exactly how many requests it has received for search engine results to be deleted. The total figure is an incredible 2.4 million and the tech giant has complied with 43% of them. Ever since a judgement by the European Court of Justice in 2014, citizens of the European Union have had the right to ask search engine providers to remove any search results that included their name.
Given how many requests this has produced, it will be interesting to see what happens when the far more stringent GDPR rules come into force. Under these rules, the right to be forgotten is strengthened. Individuals living within the EU have the right to ask for any personal data being held and processed to be deleted. Businesses and organisations will need to comply with these requests, unless there is a legally valid and compelling reason to continue processing the data.
Preparing for the Right to be Forgotten
This could be an onerous task for businesses and organisations, given that the right applies to all data, including that being processed by a third party. This is why it is essential that preparations are made for the right to be forgotten, as part of the overall preparations for the implementation of GDPR rules.It is impossible for a business or organisation to easily delete information if they do not know where the information is being held, and who is responsible for processing and managing it. Itis essential that businesses and organisations document this information, so that they can deal with requests to be forgotten and comply with GDPR regulations.
As with failure to comply with the GDPR as a whole, non-compliance with the right to be forgotten could have serious consequences for businesses and organisations. The relevant Data Protection Authority (DPA) has the right to impose fines of up to 20 million euros or 4% of annual turnover, whichever is higher, in cases where there has been a failure to comply. This is not something that any business or organisation can afford to happen.
Aside from the financial implications, businesses could also experience damage to their reputation, if they are found to be non-compliant. This type of reputational damage can be very difficult to overcome. This is why it is so important for businesses to audit all of the data they hold, ensure that they have a valid and legal reason for processing it and that they are easily able to delete it, if requested to.