The General Data Protection Regulation (GDPR) becomes applicable on May 25 2018, meaning that from that date it applies to any person who resides within the EU at this time. From this date all business that record or store personal data relating to these people must adhere with GDPR.
GDPR places particular emphasis on the right to be forgotten. This right applies to occasions where there is no acceptable justification for continuing processing information relating to a particular person.
Applying the Right to be Forgotten
Requests for information to be deleted when harm is being experienced due to the holding of the date in question are easy to justify, but these are not the only cases that will result in date being deleted. Business should form a habit of erasing data that is no longer required for any legitimate business reason. In most instances, businesses should also delete information when a person asks them to.
If a person objects to the way that personal data regarding them has been processed, this is another valid reason for the data being deleted, along with the initial unlawful processing of data. It is vital to remember that all data needs to be completely deleted, including all back-up copies of data.
Is Compliance with the Right to be Forgotten Obligatory?
There are instances when organizations and companies are not obliged to recognize the right to be forgotten, even when a request is submitted. This is the case when freedom of information is involved, or when the processing of the information is in the public interest. Refusal to adhere with requests for data to be removed can also be legitimate when a legal case is being argued, or when public health is impacted.
Companies can make it easier to comply with this requirement of GDPR by automatically removing data that they no longer have a valid reason for processing.