GDPR: What you need to know about the EU’s ‘Right to Erasure’ of personal information
According to a recent survey by Sage, 91 per cent of businesses in Canada are either not very familiar with the GDPR or haven’t heard of it at all. A further 83 per cent of businesses are not aware of how GPDR will impact their business, and in terms of being compliant by the May 25th deadline, 62 per cent are not confident that their businesses will be ready. These numbers are a bit alarming, especially considering the penalties for organizations that don’t adhere to the new rules. Companies that fail to meet requirements could face fines as high as €20 (approximately $24 million) or 4 per cent of a company’s annual global turnover (whichever amount ends up being higher). Indeed, companies with EU business dealings who do not comply with the GDPR, will likely experience a hit to their bottom line — this would be especially detrimental for SMBs.
Regardless of how far along companies are with their GDPR prep, they will be required to provide the outlined rights of individual employees or applicants by the May deadline—including the right to request erasure of data. So, what exactly does that mean for Canadian businesses with EU ambitions?
The Right to Erasure, Explained
According to Article 17 of the GDPR, companies must “erase personal data without undue delay” if an individual exercise their right of erasure. However, the ‘right to erasure’ or the ‘right to be forgotten’ as it is sometimes called, does not mean that a person has the absolute right to be forgotten. In fact, the right to erasure only applies if:
- the personal data are no longer necessary in relation to the purposes for which they were originally collected or otherwise processed;
- the data subject withdraws their consent to process the personal data and there is no other legal ground for continuing the processing;
- the data subject objects to the processing based on the company’s legitimate interests and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing for the purposes of direct marketing;
- the personal data has been unlawfully processed; or
- the personal data need to be erased for compliance with a legal obligation to which the company is subject.
While the GDPR is known for championing the rights of the individual, there are a few exceptions around the right to erasure that give businesses a bit of wiggle room. It’s important for enterprises to note that companies do not have to comply with an individual’s right to be forgotten if:
- the company is under a legal obligation to continue processing the personal data;
- the company is exercising their right to freedom of expression and information;
- the company needs the individual’s information to carry out a task that is in the public interest;
- the data is required in the interest of public health;
- the company is archiving the individual’s personal information for public interest, for scientific/historical research, or for statistical purposes;
- the personal data is needed for the establishment, exercise or defence of legal claims.
How to Make Sure Your Company Remembers to Address the Right to Erasure
Between the right to erasure and all the other requirements outlined in the GDPR, making sure companies are fully compliant is an intimidating task. It’s a time-sensitive responsibility that falls on the data-minded employees throughout an organization. So, if you are one of the 91 per cent of businesses in Canada who are either not very familiar with GDPR or haven’t heard of it at all, it’s important to have an action plan—and know where to begin.
A great starting point to ensure compliance is conducting a thorough, company-wide data audit. Furthermore, it’s worth considering an audit from both legal and technological standpoints to cover all bases leading up to the new GDPR guidelines taking effect. Companies need to establish what data they have, why they have it and what they use it for. It is crucial for enterprises to review their personal data collection methods and data processing systems to make sure they’re in line with the GDPR’s requirements, at least for data about anyone in the EU. Companies need to think about how they will dispose of outdated and irrelevant data, and how they will safeguard the critical information they do need. Businesses need to evaluate how their enterprise as a whole would handle a request for erasure—for example, if a former employee asks what personal information a company still has about them and requests that the company deletes that information.
In addition to drawing up a clear roadmap about how to respond to requests for erasure, make sure you educate all employees about the right to erasure, and your plan for addressing these requests. At Sage, we’ve introduced a comprehensive GDPR training program to teach our employees the basics of data protection law and instill in them the nature and importance of protecting personal data. I believe that the main goal of every company operating in the EU should be to swiftly—and thoroughly—educate employees about how to recognize and respond to requests, as well as how to carry out the erasure of personal data. The dual reason: every company needs information to work and the GDPR’s requirements will reinforce that the integrity of personal data is paramount.
These are my personal thoughts and are not legal advice. As with all legal matters, you should take appropriate legal and professional advice before making any decisions that relate to legal matters.
By Adam Prince, VP of Compliance, Product Management at Sage.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…