The right to be forgotten and subject access rights

The new right to erasure or “Right to be forgotten” part of the GDPR has got a few people confused, so allow me to explain. This means that companies can no longer keep a person’s data indefinitely. After a certain amount of time, if the information is no longer necessary, the company will have to delete that person's details – completely – from their database. There are other reasons to delete someone’s data as well. For instance: the individual withdraws their consent; the consent wasn’t lawfully given; to comply with legal obligation.


There are circumstances where the organisation can justly refuse to remove this data. They are: to exercise their rights to freedom of expression or information; it is in the interest of the public or the public’s health to keep the data; for a legal case; for archiving purposes, such as a scientific research project; if the data is necessary for legal obligations (so, no, you cannot call up your bank and ask to be forgotten so that you don’t have to pay back your overdraft).


Subject Access Rights


As GDPR comes into effect in May next year, companies need to be aware of the new rights that individuals have regarding their data. Some of these are called Subject Access Rights, they are: the right to access their data; the right to change and rectify their data and the right to be removed from the database and be erased.


All of these rights must be complied with within one month of the request date. Under some circumstances this could be extended by two months, perhaps because there is a lot of data and will require time to collect it all. If this happens then the individual must be told, within that first month, of the delay and the reasons for it. The service must also be free of any charges. If a company feels that the request is excessive then they could charge a ‘reasonable fee’ which reflects the admin charges but cannot be more than that.


All of this could be costly and companies should think carefully about how they are going to tackle the issue. Do you want a task force of people in charge of these services and how much is that going to cost? Is there a cheaper way of doing it? For companies with clients/customers an online self-service system would be more cost effective, especially in the long run.


To get your FREE copy of our GDPR White Paper CONTACT US.