Bradford 01274 306 000
Leeds 0113 849 4000
Huddersfield 01484 915 000

Forget-me-not? The right to be forgotten

What is the right to be forgotten?

Under the General Data Protection Regulation (GDPR), which came into force on 25 May 2018, individuals have the right to request that they be forgotten (also known as ‘erasure’) under certain circumstances. These include:

  • Personal data collected that is no longer necessary for the purpose for which it was originally collected or processed for
  • Personal data collected unlawfully
  • Where the individual has withdrawn consent for their personal data to be used
  • A legal obligation that requires the personal data to be erased
  • Where the individual objects to direct marketing

However, this is not an absolute right, and an individual’s right to be forgotten may not apply if there is a competing requirement for the data to be retained, such as if it is in the public interest to retain such personal data or if the personal data must be stored for a legal claim or defence.

What must I do if I receive a request?

If an individual requests that you remove their personal data from your records, and you consider that one of the exceptions does not apply, you must find and delete all instances of that individual’s personal data without undue delay and within one month of receipt. You must also tell organisations to whom you have disclosed the data. Questions to consider:

  • Are your staff able to recognise a request and deal with it effectively?
  • Where do you log your requests?
  • Where is the individual’s personal data stored? For example:
    • Is it on CRM databases or file servers?
    • Is it hosted in another country?
    • Is the individual’s personal data with other organisations you share your personal data with?
    • Has the individual’s personal data been made public in an online environment, for example, on social networks, forums or websites?

Forget it or be fined
In the event of non-compliance, your organisation may be liable to an administrative fine of up to an amount corresponding to 4% of the total annual global turnover for the previous year.

So, how do I prepare for the first request?

  1. Put in place mechanisms to ensure that personal data is not held longer than necessary in the context of your data retention policy.
  2. Provide individuals with clear information about their right to be forgotten, for example, you might explain to them how to make a request in your privacy policy.
  3. Put in place a procedure to control the disclosure of personal data you may share with other organisations, and to ensure effective deletion of links to or copies of the personal data in question with those organisations.
  4. Explain to employees (HR department, marketing etc.) the rules and procedures to be followed when an individual exercises their right to be forgotten.

If you require any guidance in relation to GDPR, our commercial team would love to help you. Please contact them on 0113 849 4000.

About the Author

Luisa D'Alessandro

Partner

As head of the commercial team Luisa has a wealth of commercial law experience and advises clients…

View Profile View all