The right to erasure, also known as the ‘right to be forgotten’, is one of the cornerstones of GDPR. Whether verbally or in writing, individuals can request that your company deletes some or all of the personal data held about them. Other new rules, like California’s new Consumer Privacy Act 2018, are even more sweeping.
Therefore, demands for erasure are going to become increasingly commonplace over the coming years. The recent slew of data breaches involving brands like British Airways and Facebook could be even worse for those companies if it turns out the stolen data should have been deleted.
This is why businesses still need to keep managing and minimising their risk. Your efforts to comply with this requirement have to be more than just a box-ticking exercise.
Were your processes in place?
Your business needs the processes in place to manage requests for erasure, whether it’s just a couple every week or, as is more likely as time goes on and people better
understand their rights, hundreds or even thousands.
This means understanding if data is held locally or overseas, or by a third party. You cannot erase data if you do not even know it exists!
After all, trust is the currency of the 21st Century, and individuals are more likely to trust companies that respond swiftly and transparently to their requests. A slick process will also keep costs down, and the costs of GDPR compliance are already foremost in the mind of every CIO and CFO.
Did you understand your statutory requirements?
When an erasure request comes in you have to locate the data, decide if you are going to erase, and then confirm that you have erased it.
At the same time, there are challenges in statutory requirements and accidentally
erasing data that the data subject would have relied on. For example, a credit reference agency needs to retain data because of financial regulations. The data subject puts in erasure request but the company has accidentally deleted everything, thinking it needed to do so under GDPR.
However, the data subject then applies for credit and there is no footprint – so this erasure of data could actually cause the company to fall foul of another regulation. But trust-hub offers a platform can track, visualize and report on all.
Is your organisation transparent?
Some businesses are considering offering a more sophisticated, transparent service. That could mean allowing customers to access, self-manage and, if necessary, erase their own personal data through a web portal.
If your business goes down this route, it could help to further strengthen customer relationships by both demonstrating a heightened level of transparency and also by allowing people to feel that they are in control of their own data.
Have you embedded ‘privacy by design’ in your company’s DNA?
In the same way that many businesses have undergone ‘digital transformation’ in recent years, they will also have to undergo a ‘privacy transformation’ to ensure the rights and responsibilities of GDPR are embedded in their DNA.
It will be a challenge, but those companies that successfully make that leap are going to be best placed to handle requests for erasure, generate consumer trust and demonstrate their understanding of data transparency.
If you would like to know more about what trust-hub can do to help your business be
one of them, click here or contact us at +44 (0)20 3582 5055.