Right to be Forgotten: Legal and Technological Implications in its Practical Application

The Right to be Forgotten is a new concept introduced by the European Parliament and Council of the European Union in the General Data Protection Regulation (hereinafter “GDPR”) implemented 25th May 2018. No longer is there a requirement for a court to be satisfied by the request of a data subject that their personal data being held by an organization is inaccurate before the court may order the data controller to rectify, block, erase or destroy that data or even an expression of opinion which appears to the courts to be based on the inaccurate data as may be found in the United Kingdom’s Data Privacy Act1.

Now, Article 17 of the GDPR’s right to erasure enshrines the concept of the “right to be forgotten” as an individual right or Subject Access Right (hereinafter “SAR”).

The data subject may request the data controller to erase their personal data without unjustifiable delay. In addition, where the controller has made that data public and is obliged to erase the data, it must (taking account of available technology and implementation costs) take reasonable steps to inform controllers processing the data of the request for erasure of their links/copies of the data. This right applies where:

  • the personal data is no longer necessary in relation to the purposes for which is was collected or otherwise processed;

  • the data subject withdraws consent on which the processing is based and there is no other legal ground for its processing;

  • the data subject has exercised their right to object to the processing for direct marketing or there are overriding legitimate grounds for the processing;

  • the personal data has been unlawfully processed;

  • the data must be erased for compliance with a legal obligation in an EU/Member State law to which the controller is subject;

  • the data was collected in relation to the offering of information society services to a child.2

This author proposes that with rights sometimes come with risks and in this case, specifically, the risk of inundation. The nefarious “Joe Bloggs” of this world suddenly raising right to be forgotten requests may prove to be costly to even the largest business. There is almost no defense against this save for the fact that the organisation is not in possession of that individual’s data meaning that the organisation must entertain each individual request prima facie leading to significant time and cost expenditure. In addition, the higher-tier fine prescribed by the GDPR is applicable in relation to a breach of Article 17 i.e. fine of €20 million (about £18 million) or 4% of annual global turnover. The risk of non-compliance or even partial compliance may prove to be quite costly. Therefore, the implications of this principle are not to be dismissed as trivial but should be strongly considered by organisations who process the personal data of EU citizens.

“Well if the data subject wants their data deleted, just delete it” is an insufficient stance for organisations to take in relation to the legal and technological implications. An in-depth policy, systems, procedures and process review to verify the alignment of the organization with Article 17 is essential. The result of implementing the right to be forgotten request on behalf of a data subject must be the same each time in order to align with the GDPR principle of Lawfulness, Fairness and Transparency. In the author’s experience, this requires a major investment in time, manpower and financing on the outset to ensure consistent results in operation. Let us dive into each of these aspects of policy, systems, procedures and processes review to determine what is involved.

Policy: Organisations will need to examine their Privacy Policy or Privacy Notice to ensure compliance with Article 17. This requires working with the Business Application Owner (hereinafter “BAO”) to review the Privacy Notice that is presented to the customer and for the Data Privacy Officer (hereinafter “DPO”) to ensure that specific applications process personal data are considered in their drafting of the Privacy Policy. This applies whether the application is externally-facing or the application is not externally-facing. The correct language must be used in the writing of the stipulation relating to individual rights or SAR. The clause or paragraph pertaining to the right to be forgotten must be clear in terms of what those rights are, who the data subject must contact within the organisation when they elect to exercise their rights, that their request should be as clear and explicit as possible and how the organisation’s focal point may be contacted verbally or in writing (e.g. email, post, telephone number or even social media). The clause must also advise the timelines that such a request may be responded to and addressed by the organisation which should align with the GDPR provision. The GDPR requires an organisation to respond within one month (30 days) to a SAR request. However, this timeline may be extended to address more complex request. Depending on the size of the organisation, the Privacy Notice may be drafted to be all encompassing of applications used therein or it may be created on a per application basis. This author has found that for the sake of efficiency, there should be at least one Privacy Notice upon which all personal data processing technology used within an organisation may rely with supplementary notices addended on the external facing platform of each application if there is a unique or specific need for it. This is where the BAO and the DPO work closely together to consider the audience of the Privacy Notice i.e. the customer, the type of personal data collected and processed by the application as well as the application itself vis a vis their need to process personal data.

System: This is in regard to the particular technology that is used to process personal data. An investigation needs to be made into the system(s) of data collection, analysis/manipulation, transference/sharing, publication, storage, and deletion. It is not uncommon to find that these systems are operated by disparate applications. The role of the BAO and an Operating Landscape Manager (hereinafter “OLM”) is invaluable here. The DPO must query them at every stage of the system usage of personal data to ensure that that if the right to be forgotten were to be implemented on behalf of a data subject, it would lead to a total erasure of the data. At this stage the BAO, OLM and DPO ought to consider any 3rd-party data transfers. Data processors who have signed up to implement the instruction of the data controller via a Data Processing Agreement (DPA) will need to comply with the right to be forgotten request. Recall what was posited above regarding the requirement to inform other data controllers of the right to be forgotten request. Therefore, organisations must be completely aware of the extent and reach of its personal data processing systems. This is where cost and resource impact need to be reined in to align with such requests especially if the organisation considers itself vulnerable to the aforementioned risk of inundation. It cannot be ignored that some applications are vast and broad in their interfaces, staging platforms and storage such as HR applications utilized by multi-nationals. However, keeping system reach and operating landscape as clean and concise as possible has proven to be invaluable in mitigating this risk in the author’s experience.

Procedures and processes: This includes the established way that the right to be forgotten is operationalised within an organisation, the various controls, risk mitigations and documentation in place to evidence that from the data subject raising a request to the implementation of same, the business has complete oversight and control over every step and interrelated task leading to the desired output of the complete deletion of the data subject’s data. Tying this back to the timelines communicated in the Privacy Policy (see above), the organisation should also factor in response times and response confirmation actions into this aspect. The DPO should work with the BAO/Business Analyst, OLM and other business functions through whom a SAR request may be raised (hereinafter “requesting body”) such as Legal, Human Resources (hereinafter “HR”) or Privacy Office to review all steps and tasks of an application determining those that relate to complete data erasure and documenting these as the procedure and process for implementing the data subject’s request. The DPO ought to consider multiple audiences in the creation of these documents so that as roles change, a successor may understand the process and that other functions within the business are clear on what their accountabilities are. This requires some investment of time investment from these roles and requesting bodies as well as a thorough understanding of the technologies involved. This will lead to unambiguity in the output ensuring that the organisation complies with the GDPR’s principle of Lawfulness, Fairness and Transparency.

While it is strongly postulated that where an organisation determines that parts of or the entirety of a data subject’s personal data is no longer required to perform a business task, it should dispose of said data in a controlled manner in compliance with the GDPR’s principles of Data Minimisation and Fairness, there is a challenge that the data controller may levy against the right to be forgotten. The controller is not obligated to erase the data or inform other controllers of the right to be forgotten request to the extent that processing is necessary for freedom of expression/information; compliance with applicable EU/Member state law; public interest/official tasks, public interest in public health; archiving purposes in the public interest or statistical purposes insofar as the right to erasure is “likely to render impossible or seriously impair the achievement of the objectives of that processing”; or legal claims.3 This may also prove to be a relief from the risk of inundation but also reinforces the importance for organisations to consider treaties such as this in achieving awareness and clarity about its personal data processing activities and compliance with the GDPR.

1 Section 14 UK DPA

2 Pinsent Masons “Guide to the EU General Data Protection Regulation, post Brexit” pg. 24.

3 Pinsent Masons op. cit.


21 views0 comments