Countdown to GDPR: The Right to Be Forgotten

The EU General Data Protection Regulation (GDPR) deadline is looming, and no one’s entirely sure about its implications and compliance requirements. What we do know is that with GDPR the onus of compliance lies with both the data controller (primary data holders/managers/subscribers) and the Data processors (secondary data holders, SaaS/vendor apps).

Or as Google put it, we all have “shared responsibility” of compliance to the directives. With just about six months left for GDPR to take effect, looking the other way can lead to an expensive last-minute compliance scramble.

Let’s maximize our time tackling GDPR head-on by understanding its key provisions and ways we can be compliant with them. In the first part of this blog series, we’ll explain a major GDPR Rule—The Right to Erasure (be Forgotten). Many consider this directive to be the catalyst for GDPR; the one that started it all; it’s also the directive that, if complied with, drives compliance with other articles in the regulation.

Let’s get to the bottom of this nuanced but important rule. If you’d prefer to listen to a discussion about it, check out The Hot Aisle #73 podcast here where I talk about these issues and more.

GDPR Right to be Forgotten

The Rule Explained

The Right to Erasure (Forgotten) is a EU provision where data subjects (individuals) have the right to obtain erasure of personal data without delay when certain grounds apply.

Article 17 of the GDPR, The Right To Erasure, states that Data Subjects have the right to obtain erasure from the data controller, without undue delay, if one of the following applies:

  • The controller doesn’t need the data anymore
  • The subject withdraws consent for the processing with which they previously agreed to (and the controller doesn’t need to legally keep it)
  • The subject uses their right to object (Article 21) to the data processing
  • The controller and/or its processor is processing the data unlawfully
  • There is a legal requirement for the data to be erased
  • The data subject was a child at the time of collection

And significantly for  SaaS providers:

  • If a controller makes the data public, then they are obligated to take reasonable steps to get other processors to erase the data.

How do I Achieve Compliance?

With a lack of case law around this rule, there can be myriad interpretations and there is no compliance checklist. But that’s no excuse. As the last part of the Provision states, apart from the data controller, all other third-party processors of the data will also have to  work with the data controller to delete/erase the personal data when asked to by the controller. Complying with this requirement is likely to be one of the most challenging, as it could require a controller/processor to significantly change or redesign their solution or implement changes in the processes/procedures for interacting with a data subject.  Steps to get started must be the following:

  1. Perform detailed data-mapping. Evaluate your data collection, controlling/processing and storage workflows and policies.
  2. Work with your partners/customers and all those that are a part of the data subject information chain to determine what policies, procedures and legal requirements should be implemented to remain compliant.
  3. Retain legal counsel (preferably EU legal counsel) and make sure all ideas/solutions are passed through them as they will be a great resource for how a compliance solution/conflict could be see by an EU Data Processing Authority.

For more on GDPR and the Right to Erasure (be Forgotten) listen to my discussion with Brent Piatti (@BrentPiatti) and Brian Carpenter (@intheDC) here.

In our next blog, I’ll talk about Designing for Data Protection. Stay tuned.

GDPR Advice for SaaS Companies