The “right to be forgotten”, referred to in law as the right to erasure, is a data subject right provided by the General Data Protection Regulation (UK GDPR). This right empowers individuals (data subjects) to request the removal of their personal data from the records of organisations that process their information.
Under Article 17 of the UK GDPR: |
---|
Data subjects can request the erasure of their personal data at any time, verbally or in writing, but a controller only has to fulfil the request in certain circumstances, including:
Controllers have one month to respond to requests. |
A qualified right
However, even if the right appears to apply, it is not absolute, and organisations may refuse erasure requests in certain situations, such as where the processing is required:
- To comply with a legal obligation
- To exercise freedom of expression and information
- For the performance of a public interest task or in the exercise of official authority
- For public interest archiving or research purposes, where erasure is likely to seriously impair that processing
How to comply
Erasure must be effected across all of the controller’s systems - live and archived or backup. Individuals must be informed if there will be delay in making erasures from backup systems. In any event, data in backup systems must be put beyond use until it is erased.
If a controller has disclosed data to another controller, it must, taking account of available technology and the cost of implementation, take reasonable steps to inform recipient controllers of the erasure request. ICO guidance states this is not required if it is impossible or involves disproportionate effort.
For more information or advice on data protection compliance, please contact Beverley Flynn or any member of the commercial and technology team.