If you have a question you'd like to ask our experts, please get in touch on email@example.com.
How should data now be removed from our system? Do we need to prove that it has been deleted?
Jon Baines, data protection advisor at Mishcon de Reya LLP:
There are two situations under which personal data should normally be removed from organisations’ systems. Firstly, it should, under article 5(1)(e) of GDPR, not be kept for longer than is necessary (so once it has ‘served its purpose’, it should no longer be retained).
Secondly, under article 17, personal data should, as a general rule, be erased if someone asks (obviously there are exemptions and exceptions to this ‘right to erasure’).
In the first instance what GDPR actually says is that personal data should not ‘be kept in a form which permits identification of data subjects for...longer than is necessary’, so in those circumstances it might be possible to apply anonymisation techniques, but still retain the base data.
In the second instance, there are, as yet, no technical details or specifications about how erasure should be done.
My personal view is that it will be subject to a reasonableness test, and organisations will likely have to show that they have taken sufficient care and effort to undertake the exercise, rather than having to prove to a ‘beyond all reasonable doubt’ standard.
In both cases, I am of the view that it is both acceptable and sensible to keep some record or audit trail to show that the data has been, or would have been, held at some point.
The GDPR team at Mishcon de Reya comprises data protection experts as well as non-lawyer cyber security specialists. If you would like any advice on how to manage GDPR within your organisation, please contact Jon Baines.
Annemarie Proudfoot, head of customer relations at BestAgent:
When a customer exercises their right to be forgotten, or when for any other reason the legal basis for storing/processing data no longer exists, the controller (agent) and processor (software provider) must delete that data from its systems and all backups, except that which is needed for other legal obligations (accounting laws, etc.).
Maintaining a system log of when the deletion was executed is sufficient proof.
But, as it’s virtually impossible to prove that information has been deleted, and not secretly stored somewhere, the most important consideration is to make sure that that customer will never, even unintentionally, receive marketing communications from you again, as this would serve to prove that you did not delete their personal information when required to do so, and leave you vulnerable to the consequences of a breach of the GDPR.
Damon Bullimore, chief information officer at BriefYourMarket.com:
The GDPR introduced the ‘right to be forgotten’ (aka ‘the right to erasure’), so agents need to have processes in place to service this specific request. Any data-processing software that is used by the agent should have this functionality in-built within it for this specific reason.
The Information Commissioner’s Office (ICO) states that individuals can make this request ‘verbally or in writing’. Once this request has been issued, agents will have one month to respond.
Agents need to have a comprehensive understanding as to when the right to erasure applies and should ensure that they have reviewed the guidelines issued by the ICO.
Agents can refuse to comply with an erasure request if the request is ‘manifestly unfounded or excessive’. If an agent does feel that the request meets this criteria, they can request a fee to process it, or refuse it entirely. However, detailed justification for the refusal will be required and the individual will need to be informed as to why you are not taking action.
An erasure request can be made to any member of your business. Therefore, staff training around the right to erasure needs to be conducted internally.
The ICO states that ‘you have a legal responsibility to identify that an individual has made a request to you and that you handle it accordingly’.
They also note that businesses ‘may wish to check with the requester that you have understood their request, as this can help avoid later disputes about how you have interpreted the request.’
This would indicate that deletion does not need to be proved per se, but that the request needs to be handled in a customer-centric and transparent manner.
Bernard George, solicitor for Socrates Training Ltd:
Complete deletion of electronic information is bordering on impossible. You probably have multiple backups of your IT system. If so, there is no practical way of going through all those, and selectively deleting every instance of some old data.
The good news is that in practice nobody worries about this. So long as you have edited your working records, and your old backups are kept secure, you should be fine.
*If you would like to receive further guidance from any of our GDPR experts, please click here.
Angels Media Ltd encourages you to seek additional guidance, including professional legal advice, to ensure that all of your business operations are ready for the GDPR.
Angels Media Ltd Legal Disclaimer:
The information contained here is for general guidance purposes only. It should not be taken for, nor is it intended as, legal advice.
We would like to stress that there is no substitute for making your own detailed investigations or seeking your own legal advice if you are unsure about the implications of the GDPR on your businesses.
While we have made every effort to ensure that the information covered here is correct and up to date, we Angels Media Ltd makes no promises as to completeness or accuracy and the information is delivered on an “as is” basis without any warranties, express or implied.
Angels Media Ltd will not accept any liability for errors or omissions and will not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of or reliance on this information or from any action or decisions taken as a result of using this information.