Now that the General Data Protection Regulation has come into force, organizations need to be able to process requests to erase the personal data of individuals. Establishing this capability, changes to a variety of policies and procedures across the organization need to be implemented. For one, the systems, applications and databases need to be calibrated to allow the easy identification and deletion of data related to the requesting individual. Then, policies and procedures need to be in place for the data protection officer and other stakeholders to follow the full lifecycle of the data erasure request. The different departments will need to identify and anticipate their roles in the process. Finally, the DPO should maintain oversight of the effectiveness of every step of the way to the deletion and communicate timely to the data subject.
Preparing the technical supporting systems
The systems, applications and databases that are processing personal data should enable the organization to easily locate and delete data. Internal auditors can verify the options and effectiveness of current IT systems. This exercise will present the organization with the following outcome: Some systems need to be reconfigured, other systems require an upgrade to more advanced systems. Legacy systems that do not support the location and deletion of data should be replaced by new solutions.
With regard to the deletion of personal data under the control of the organization, the GDPR does not allow organizations to invoke their “impossibility” to delete data. Hence, controls that prevent the further processing of data in combination with pseudonymisation techniques will not be sufficient to accommodate the individual’s request to erasure. A better option that will withstand under the regulation is to make use of anonymization techniques: as anonymized data cannot be linked back to the individual, this is not considered “personal data” under the GDPR. Consequently, the erasure request does not apply to anonymized data.
Create oversight through data governance
Through a comprehensive data governance structure, organizations are able to reply to the request of the individual, taking into account specific obligations, without undue delay and within one month of receipt, as required by the GDPR. The data governance exercise should focus on the mapping of data flows across systems, departments and third parties. Additionally, data quality needs to be ensured: Consider duplicates and triplicates that can be found in back-ups and hard copies, as these are all in scope of a request to erasure. Categorize information that might trigger extra obligations, such as personal data related to minors. Flag which data was made publicly available or shared with third parties (processors and sub-processors) in order to contact and inform them of the erasure.
Set up policies and procedures
Although the GDPR does not explicitly state the obligation to develop policies and procedures, there is an implicit presumption that policies are needed to deliver compliance by guiding an organization and its employees to understand the different stages within a data-erasure-request lifecycle. Also, these documents will enable the organization to demonstrate its compliance with the obligation to enable data subjects' rights under the accountability principle.
The policies and procedures regarding requests to erasure are centrally managed as they involve different organizational departments and systems. The lifecycle of a request to erasure starts off with the data subject filing the request in writing or verbally. Once the identity of the requestor is established and it is clear that the individual is entitled to request the erasure, the organization can inform the individual about the consequences of the erasure of data and roll out the next steps of the process to erase the personal data.
The right to erasure is no absolute right. Before embarking concrete steps towards data deletion, the decision on whether to erase needs to be made. Policies and procedures need to specify the different scenarios where the organization can deviate from the obligation to grant the right to erasure. The different departments should list the applicable legal grounds that can be invoked to refuse the deletion of data. These legal grounds can be the outweighing right of freedom of expression and information of other individuals; the overriding legal obligations the organization is subject to; the public interest or health; archiving or scientific and historical research purposes; or the use of data in the context of legal claims. A mapping of these outweighing requirements and their respective retention periods are a necessity to ensure that the organization does not contradict with other regulations while granting the right to erasure.
After this analysis, the organization can come back to the individual and refuse the request to erasure in case other obligations prevent the organization from doing so. If there are no issues to grant the request, the organization can take it to the next step: the erasure of the personal data from systems and hardcopies of the organizations and third parties who received this data from the organization.
Besides the policies and procedures, the DPO needs to keep a tracking record of all received requests. Difficult cases, where an extension of the response time is allowed, should be recorded and explained. The same applies to all other invoked exceptions (legal grounds) and disproportionate efforts (in case it is impossible for the organization to contact and inform the recipients of personal data about the request to erasure).
photo credit: Nicholas Erwin via photopin