The General Data Protection Regulation (GDPR's) Right to Be Forgotten gives stronger privacy protection to citizens but means businesses must act now if they are to avoid major fines.
The French call it “le droit à l’oubli” – the right of oblivion - a principle that has its origins in French law and which gives citizens the Right to Be Forgotten (RTBF) in the digital world. It is also a concept that under the new GDPR, supervising authorities will be able to issue fines for non-compliance when the new regulation comes into force in May 2018.
Made more prominent by the landmark, pre-legislation Google-Spain case in 2014, where a local man successfully argued for search results to be removed about his social security debts, the RTBF builds on the principle that organisations can only use personally-identifiable information (PII) for which they have the user’s explicit consent. Indeed, under the RTBF requirement in GDPR, citizens can argue for this data deletion where data is inaccurate, inadequate, irrelevant or excessive for the processing.
GDPR expands this right to erasure. It allows individuals to require the deletion of information they have previously given to a third-party about themselves so long as it no longer needs to be processed and there are no legitimate grounds for its retention, such as compliance with a legal obligation, or public interest for public health and legal claims.
The maximum penalty for violations of this right are €20million or 4% of total worldwide annual turnover for a corporate group, which means businesses urgently need to identify the nature, volume and location of PII data they hold and put the right tools and processes in place to ensure that it is treated in a GDPR compliant manner.
Related article: How can CISOs prepare for GDPR?
Enforcing stronger privacy rights
Despite the reports in the media, the Right To Be Forgotten is not an entirely new idea. The principles underpinning it were introduced in the European Commission’s 1995 Data Protection Directive, which states that a person can ask for personal data to be deleted if the processing does not comply with the Directive.
And as noted above, the GDPR strengthens this privacy requirement– through RTBF and “the right to erasure” (RTE). This means data controllers who receive an RTE request from the individual must delete copies of the information in question, as well as all links to it, from every piece of IT equipment - including servers and backups, cloud systems and portable devices.
Where the controller has made the information public, they also must take “reasonable steps” to tell other controllers that are processing the data about the person’s objection so they too can delete links to and copies of the data.
And if there is a dispute about the RTE, the data controller will have to take steps to restrict the processing of the person’s data pending resolution.
A comprehensive approach to the Right To Be Forgotten
So, how can businesses prepare for RTBF and RTE? Judith Vieberink, an attorney at First Lawyers, advises organisations to take a comprehensive approach.
“First, make an inventory of the different kinds of personal data you process, company-wide and across your global systems,” she says.
“Next, find out what kinds of applications you use to process PII data and where they’re hosted: in Europe or abroad,” as this will tell you which systems come under GDPR regulations.
Thirdly, determine the citizenship of the people whose information you hold, says Vieberink. “European citizens’ PII is protected worldwide, and data controllers and processors located in and outside the EU will be subject to the GDPR.”
Finally, you as a data controller need to determine which third-party processors you work with, so you can make sure PII data can be removed completely.
Vieberink says the best way to manage your data, and prove deletion, is to map its flow through the company; apply policies to it; and monitor it continuously to keep you accountable and auditable.
“There are several ways to do this. For example, Micro Focus has developed technology to find and manage data, including both structured and unstructured data,” she comments.
Related article: How can GDPR drive business transformation