iWelcome is now OneWelcome. Visit us at onewelcome.com

Right to be forgotten: The right to erasure – Part 7 of 9

Jul 31, 2022 3:30:04 PM

This is the seventh in a series of nine blog posts on how Consumer Identity and Access Management (CIAM) products can help organisations in their Compliance with the General Data Protection Regulation (GDPR). This blog is part of a series that cover important topics for CIAM experts who have an interest in the new EU regulations. The topic for this week is the right to be forgotten – the right to erasure.

Right to erasure - how does it work?

According to GDPR, consumers in Europe have the right to leave an organisation’s ‘sphere of influence’: whenever the customer wants to leave, organisations (in almost all circumstances) are supposed to let go. A consumer (in GDPR more generally referred to as ‘data subject’) must be able to request erasure of personal data at the touch of a button.

Although ‘the right to erasure’ is also referred to as ‘the right to be forgotten’, there is no unconditional right to be forgotten. If there are legitimate reasons for organisations to keep personal data they can, but it is clear that from now on the consumer is in the driving seat.

How does article 17 of GDPR describe this right?

Article 17 of GDPR sets out a right to erasure as being ‘the right to obtain from the controller the erasure of personal data concerning him or her without undue delay’.

The GDPR states six grounds for erasure. The four most important ones are:

  1. the data is no longer necessary for the purpose collected or processed;
  2. the data subject withdraws consent and no legal grounds for processing remain;
  3. the data subject objects to the processing and there are no legitimate grounds to continue;
  4. the processing is unlawful.

It looks pretty simple: a consumer should be able to request for erasure at the touch of a button. Executing this request should be done without undue delay, meaning ASAP, without months of ‘hesitation’ and without further questions as ‘are you totally, completely sure’?

How will GDPR affect data collection and retention?

In several countries, businesses have shown reluctance to let consumers go. Marketers hate to delete any personal data from their treasured databases that help develop markets and make sales. To consumers, leaving is often made a lot harder than entering and registering.

In the GDPR era, clinging on to customers will be a thing of the past. In my opinion, it will not just be the fines from the authorities that will act as Damocles’ Sword. In this case, businesses’ reputation is at stake. Consumer groups have shown to be very aggressive in targeting organisations that give their clients a hard time when they want to terminate their relationship – and have their personal data erased from the business’ database.

The new GDPR rules thereby serve the growing number of privacy-aware consumers that demand the right to buy products online on a one-off basis, without having to surrender tons of personal data for use other than handling and delivering their purchase.

Don't forget to communicate

Besides executing the erasure: when a customer decides to exercise his or her right to be forgotten, companies need to provide insight into the status of the request. As an example, companies could communicate the following message: “Dear customer, we have erased all of your personal information from our databases, other than the data (i.e. prior purchase information) we are required to keep for a period of x years because of tax regulations.” When a company persists in not communicating and consumer complaints start piling up, an investigation from the authorities may have costly consequences.

In conclusion

As a company, GDPR obliges you to:

  • Know which personal data you have.
  • Know where it is located.
  • Know the legal grounds for keeping the data.
  • Know the purpose for using the data.
  • Know that the customer can ask for personal data to be removed and the impact of such a request.
  • Know that there are certain legal grounds for keeping information longer.
  • Communicate to the customer about the progress of the erasure process

Next time we will cover data breach communication as, under the GDPR, data controllers and data processors are subject to a general data breach notification regime.

The GDPR in all official European languages can be found here:

In a series of 9 blogs, we will dive deeper into the specific parts of the GDPR and their effect on CIAM. 

  1. Why CIAM will never be the same with GDPR 
  2. Consent Management with GDPR in mind 
  3. Transparency and GDPR 
  4. Strict regulation of automated individual decision making.
  5. What is sensitive personal data?
  6. Privacy by design: Data protection starts in the whiteboard phase
  7. Special rights for the individual like “right to be forgotten”.
  8. Data breach communication.
  9. Children's privacy under GDPR.

Feel free to repost this blog on your website! But when you do so, please be so kind to mention the source and give us a notice via marketing@iwelcome.com.

You May Also Like

These Stories on gdpr

No Comments Yet

Let us know what you think