This is blog topic #7 about the impact of the General Data Protection Regulation (GDPR) on Consumer IAM projects. This blog is part of a series that touches on important topics for IAM experts who have an interest in the new EU regulations. The topic for this week is the right to be forgotten – the right to erasure.
The right to erasure – the art of letting go!
According to GDPR, consumers in Europe have the right to leave an organisation’s ‘sphere of influence’: whenever the customer wants to leave, organisations (in almost all circumstances) are supposed to let go. A consumer (in GDPR more generally referred to as ‘data subject’) must be able to request erasure of personal data at the touch of a button.
Although ‘the right to erasure’ is also referred to as ‘the right to be forgotten’, there is no unconditional right to be forgotten. If there are legitimate reasons for organisations to keep personal data they can, but it is clear that from now on the consumer is in the driving seat.
How does article 17 of GDPR describe this right?
Article 17 of GDPR sets out a right to erasure as being ‘the right to obtain from the controller the erasure of personal data concerning him or her without undue delay’.
The GDPR states six grounds for erasure. The four most important ones are:
- the data is no longer necessary for the purpose collected or processed;
- the data subject withdraws consent and no legal grounds for processing remain;
- the data subject objects to the processing and there are no legitimate grounds to continue;
- the processing is unlawful.
It looks pretty simple: a consumer should be able to request for erasure at the touch of a button. Executing this request should be done without undue delay, meaning ASAP, without months of ‘hesitation’ and without further questions as ‘are you totally, completely sure’?
Hard to find the ‘leave’ button? Those days will soon be gone
In several countries, businesses have shown reluctance to let consumers go. Marketers hate to delete any personal data from their treasured databases that help develop markets and make sales. To consumers, leaving is often made a lot harder than entering and registering.
In the GDPR era, clinging on to customers will be a thing of the past. In my opinion, it will not just be the fines from the authorities that will act as Damocles’ Sword. In this case, businesses’ reputation is at stake. Consumer groups have shown to be very aggressive in targeting organisations that give their clients a hard time when they want to terminate their relationship – and have their personal data erased from the business’ database.
The new GDPR rules thereby serve the growing number of privacy-aware consumers that demand the right to buy products online on a one-off basis, without having to surrender tons of personal data for use other than handling and delivering their purchase.
Communication is required
Besides executing the erasure: when a customer decides to exercise his or her right to be forgotten, companies need to provide insight into the status of the request. As an example, companies could communicate the following message: “Dear customer, we have erased all of your personal information from our databases, other than the data (i.e. prior purchase information) we are required to keep for a period of x years because of tax regulations.” When a company persists in not communicating and consumer complaints start piling up, an investigation from the authorities may have costly consequences.
As a company, GDPR obliges you to:
- Know which personal data you have.
- Know where it is located.
- Know the legal grounds for keeping the data.
- Know the purpose for using the data.
- Know that the customer can ask for personal data to be removed and the impact of such a request.
- Know that there are certain legal grounds for keeping information longer.
- Communicate to the customer about the progress of the erasure process
Next time we will cover data breach communication as, under the GDPR, data controllers and data processors are subject to a general data breach notification regime.
The GDPR in all official European languages can be found here:
In a series of 9 blogs, we will dive deeper into the specific parts of the GDPR and their effect on IAM.
- Why IAM will never be the same.
- When should consent be requested?
- Why transparency is key to building trust.
- Strict regulation of automated individual decision making.
- What is sensitive personal data?
- Privacy by Design & Data protection by Design.
- Special rights for the individual like “right to be forgotten”.
- Data breach communication.
- Children's privacy under GDPR.
Feel free to repost this blog on your website! But when you do so, please be so kind to mention the source and give us a notice via marketing@iWelcome.com
Corné van Rooij
VP Product & Strategic Alliances at iWelcome
Corné has been working in the security market for more than 20 years of which the last 15 years at two well-known Identity Management Vendors.