What is the right to be forgotten, how is it enforced under GDPR and what do businesses need to do?

forget memory mind solidcolours
Image: iStock/Trifonenko

AS GDPR and the Data Protection Bill enshrine the right to be forgotten, what do businesses and data controllers need to know?

Share

Citizens will soon be given more control over their personal information when the EU's General Data Protection Regulation (GDPR) and the UK's new Data Protection Bill enshrine the right to be forgotten into law. These rules come with serious challenges for businesses that hold and process personal data though.

The right to be forgotten is also known as the right to erasure. It gives individuals the power to request the removal of their personal data when there is no compelling justification for its continued processing by a company.

The concept weights privacy against freedom of expression, a tricky balance to strike. The GDPR and Data Protection Bill will codify the concept. But interpreting their rules is complicated, and failing to apply them could have dire consequences.

How GDPR includes the right to be forgotten

The EU's incoming GDPR regulations will give any individual the right to request the erasure of their personal data from anywhere in the union when there is no compelling reason for its processing.

Article 17 of the regulation outlines the different circumstances under which an individual can exercise the right to erase their personal data.

It should be granted if the data is no longer necessary to serve the purposes for which it was originally processed; if the subject withdraws consent or has a rightful objection to the processing and there are no overriding legitimate grounds for it to continue; if it has been unlawfully processed; if it needs to be erased for compliance with a legal obligation; or if it was collected in relation to the offer of certain information society services.

Read next: GDPR explained: How to prepare for the approaching General Data Protection Regulation (GDPR)

It also includes additional requirements for the personal data of children. They will have the right to erase data that they previously consented to provide, as they may not have fully understood the risks at the time they gave consent. This is particularly relevant to information posted on social networks and internet forums.

However, these rules don't apply if the processing is necessary for exercising the right to freedom of expression and information, for use in legal claims, for complying with legal obligations, is in the public interest, or for some archiving that is part of scientific or historical research or statistical purposes.

In terms of obligations on the controller of this data, if they have made personal data public and been obliged to erase it, they must take 'reasonable steps' to inform anyone else processing the data that the erasure has been requested. 

If businesses fail to meet their obligations, they face a maximum fine of €20 million or up to four per cent of worldwide revenue, whichever one is higher.

The right to be forgotten in the UK

The British government will also enshrine the GDPR regulations into domestic law when the UK leaves the European Union.

In August the government announced that it will introduce a new Data Protection Bill, with specific reference made to the right to be forgotten. It promised to give the public the power to ask social media companies to delete information that they posted in their childhood, a measure dubbed the "right to innocence".

Read next: UK to overhaul data protection laws in line with GDPR

The plan was first proposed in the Queen's Speech in June 2017 and will soon move through the UK Parliament.

The current Data Protection Act limits the right to erasure to processing data that causes unwarranted and substantial damage or distress.

What are the challenges?   

The right to be forgotten is complicated to apply. Google might have the resources to process each request, but smaller organisations are likely to struggle.

In a recent survey of 500 IT decision makers of organisations with more than 1,000 employees commissioned by data company Varonis, 71 percent of UK respondents said that the right to be forgotten aspect was the most challenging aspect of the GDPR.

Read next: How to prepare for consent under the General Data Protection Regulation (GDPR)

It can be difficult to locate personally identifiable information and then separate it from anonymous information due to growing data fragmentation. The proliferation of unstructured data such as emails and documents is particularly challenging. It spreads far beyond centralised repositories and is poorly managed, and curated.

"Unstructured data is really hard to track down," says Andrew Rogoyski, vice president of cyber security services at CGI UK and chair of Tech UK’s cyber security group

"It' sitting on thousands of machines. It’s potentially sitting on cloud services without people knowing. You've got this effect of shadow IT of people inadvertently putting sensitive data into places where one it can't be found, and two, an organisation doesn't necessarily have access. Actually managing that data becomes really quite problematic."

Personal information can thus be difficult to discover if it's tied together with unstructured data.

It could be distributed across dozens of applications, hosted on different hardware in a variety of countries, and used for reasons that are different to the original purpose of data collection by people who have copies of the records.

Many applications may depend on keeping the information available, so erasing it could end up disrupting or corrupting their records.

Erasing personal data could be particularly problematic for public sector organisations. Their data is often trapped in many siloes and duplicated across different systems.

To assess public sector preparations for the GDPR, informative management company M-Files Corporation sent Freedom of Information requests to all 32 London boroughs and 44 other local authorities in the UK asking about their readiness. Almost seven in 10 (69 percent) of them said that they aren’t yet able to effectively erase personally identifiable information from their systems.

Blockchain raises another barrier to compliance. The technology is based on creating immutable information. Making any changes to that data would defy this principle.

"There are various bits of legislation in the UK that say if you change your gender you have the right to retroactively apply that all the way back through history," says James Smith, head of labs programme at the Open Data Institute (ODI).

"If your gender is stored inside a public blockchain of driving licenses or land registry, how do you do that?"

Realistic expectations

Organisations with these issues may not all need to panic. They are not expected to fulfil requests that are beyond their limitations.

"There is a balance in the regulation that says that there is a reasonableness test," explains Rogoyski from CGI UK. "If there are very good reasons why you can't delete all of that data then that will be a mitigating factor."

Organisations first need to understand what data they have, where it is and how it flows, particularly if it moves outside of EU boundaries for purposes such as offshoring data processing.

They then need to put appropriate measures in place to make that information secure and accessible.

Automated data discovery products and intelligent information management systems can help if manual methods are too slow to find and cleanse the data.

The right to be forgotten will help the public take back control of their information, but those who process that data may struggle to support them, whether they respect their right or not.

Find your next job with computerworld UK jobs