GDPR: What is the Right to Erasure?


— by David Weinstein, Senior Security Engineer, Threat Stack

The other week, Chris Lippert, Privacy Technical Lead at Schellman & Company, LLC., wrote an excellent blog post that explores overlaps and differences between GDPR and other frameworks, including ISO/IEC 27000, NIST, and PCI, as well as ways organizations can start to bridge the gaps to achieve alignment with GDPR.

In this post, Frank Kyazze, Senior Associate at Schellman, zeroes in on one of the questions that sit at the heart of the GDPR: “What is the Right to Erasure?” In this highly informative article, Frank explains some of the rights of data holders, responsibilities of data controllers, and best practices for effectively responding to requests for erasure.

The General Data Protection Regulation (GDPR) is coming into effect soon, and many companies are worried that they will not be compliant in meeting the demands of this behemoth of a regulation. One area that’s been keeping a lot of organizations up at night is the right to erasure. Some of the most commonly asked questions include:

  1. What is the right to erasure?
  2. How do we respond to a valid right to erasure request?
  3. Must we comply with every single right to erasure request? What if our organization has technical, legal, or legitimate business limitations?
  4. What are some best practices to avoid right to erasure headaches?
  5. How are we supposed to deal with requests for erasure in regard to personal data included in data backups and archives? Do we have to dig deep and delete the requested personal data from each backup instance?

 In this post, I describe when a data subject can effectively use the right to erasure, when a controller can defend against it, best practices to avoid getting in trouble with this individual privacy right, and how to deal with complicated erasure situations, such as erasing from backups.

1. What is the right to erasure?

The right to erasure, also known as the right to be forgotten, stems from Article 17 of the GDPR and is a data subject’s right to have their data removed from a controller and/or processor for the following reasons:

  • The original purpose for which the data was processed has been fulfilled, and the personal data in question is no longer needed. For example, John Doe buys a house and uses ABC Bank to mortgage the house. ABC Bank collects his employment, salary, SSN, and other personal information. John Doe pays off his house, and the bank continues to send him other offers past the legally required retention period. John Doe can request to have his personal data erased from ABC Bank because the originally intended purpose of managing his mortgage has been fulfilled.
  • The data subject withdraws their consent. Data subjects change their minds on products and services all the time. They may decide to withdraw consent from any organization’s processing activities. Showing due diligence and responding to someone’s request in a reasonable amount of time is always better than delaying or not responding at all. This can help maintain a level of trust and respect with customers if a withdrawing data subject decides to give new consent to an organization’s processing activities in the future.
  • The data subject objects to the processing of their data, and there are no overriding legitimate interests. It is important for an organization to understand the necessity and proportionality of its legitimate interests for processing personal data. For example, an organization that processes personal data to aggressively monitor individual online behavior patterns for an experimental project that is not immediately necessary for business survival would most likely have to comply with a data subject’s erasure request.
  • The personal data is collected and processed through unlawful means. Organizations should always understand the specific lawful basis for all of their processing activities and also understand when activities could be deemed unlawful. If an organization purchases an email list, for example, and sends out an email marketing campaign to this email list without consent or ability to opt out, that can be seen by a supervisory authority as unlawful. Unlawful processing activities lead to loss of public trust and hefty fines.
  • The data must be removed to comply with a legal obligation. If an organization has court orders to erase personal data, it must comply. For example, a data subject facing harassment could file a cease and desist order and request the restriction and erasure of their personal data from the offending organization.
  • The data is processed in relation to the offer of information society services to a child. Protections surrounding personal data of children are quite strict in the GDPR. Requests to erase the personal data of children should be handled diligently.

If any of the above circumstances apply, and in cases where your organization receives an erasure request, you will likely be obligated to act on the request to cease processing activities and erase the requesting data subject’s personal data from your environment under the GDPR.

2. How do we respond to a valid right to erasure request?

Considere following applicable steps when you receive a valid request to erase personal data:

  1. Confirm receipt of the request from the data subject to erase their data with a realistic erasure completion time frame. Nobody likes to be ignored, and responding to the request with a genuine notice of action is only fair. Under Article 12.3 of the GDPR, you have 30 days to provide information on the action your organization will decide to take on a legitimate erasure request. This timeframe can be extended up to 60 days depending on the complexity of the request.
  2. Locate the personal data and identify all processors and third parties that may also have the personal data. Use data flow diagrams and data inventories to pinpoint the systems that store the requested personal data. If these documents and procedures do not exist, set up meetings with all teams (e.g., HR, Marketing, IT Ops) that may come into contact with personal data to establish them so your organization can identify personal data for future erasure requests in a timely manner.
  3. Notify all identified third parties that have access to the personal data to completely remove the data from their environments and confirm erasure. At this point, your organization is likely knowledgeable of its external data flows and can pinpoint the instances where personal information is shared with or accessible by third parties. If not, a good approach could be to reverse engineer your external data flow channels by identifying the point of data collection, reviewing current vendor contracts, and evaluating your third-party business functions to determine which external parties may have access to the requested data for erasure.
  4. Remove the personal data from your environment. There may be circumstances where erasing personal data from digital and physical backups is not required: Specifically, in cases where your organization needs to store data for the interest of your information security program. In these conditions, it is important to consult with your legal representative or privacy professional to understand where these exemptions could apply. (Refer to Question 5 below for more information on backups.)
  5. Respond to the data subject to confirm data erasure from your environment and all associated third parties. The organization has 30 days to respond to data subject erasure requests, and this could be extended depending on the excessiveness, repetitiveness, and complexity of the request.

3. Must we comply with every single right to erasure request? What if our organization has technical, legal, or legitimate business limitations?

The right to erasure is NOT absolute, and there are instances where an organization may not be required to fulfill a request for erasure. A controller is not obligated to fulfill erasure requests under the following circumstances:

  • Where the organization is exercising its freedom of expression and information. Media, news, and journalism organizations will be able to leverage this exception as long as their actions of free expression do not impinge on individual rights.
  • Where the organization may have to comply with a legal obligation for the performance of a public interest task or exercise of official authority. If an organization receives a court order to retain data for evidentiary purposes, and a data subject makes a request to erase that data, the organization is not required to fulfill the erasure request.
  • Where the processing activity is a requirement for the interest of public health, scientific research, historical research, or other statistical purposes. This can be seen as the “greater good” defense. If your organization is involved in such archival activities, and these activities do not have a significant negative effect on individual privacy rights, you may not have to comply with erasure requests.
  • Where the organization needs to retain the information to defend itself in a legal claim. For example, let’s say that ABC bank is involved in a class action lawsuit and Jane Doe requests to erase her personal data from ABC Bank. If the data is relevant to the defense of ABC Bank’s lawsuit defense, ABC Bank may not be able to comply with Jane’s erasure request.

If you determine that it is appropriate to apply any of the above exemptions that would deny the request of an individual to erase their data, a proper notice explaining the exception must be communicated to the data subject within 30 days, and they will have the right to file a complaint to the supervisory authority in their member state where they feel the request has been processed unlawfully or unfairly.

4. What are some best practices to avoid right to erasure headaches?

  • Clearly identify your data processing activities with necessary purpose and the appropriate lawful basis. Lawful bases include consent, contractual agreement, legal obligation, vital interests of the data subject or another person, tasks for the public interest, and controller legitimate interests.
  • Know exactly where your data resides and how to access it on a granular level at a moment’s notice. Because you only have 30 days to respond to most erasure requests, and the volume of requests may vary, it is important to set up formal and documented processes that will allow your organization to efficiently find data in a reasonable amount of time. Consider keeping an up-to-date list of all outside organizations that you disclose personal data to with appropriate contact information for each to communicate erasure requests outside of your organization in a timely manner.
  • Use proactive retention policies and procedures to get rid of any data that your organization no longer uses. Understand any legal retention requirements that may pertain to your organization. Implement and follow a policy of regularly purging data that you no longer have a purpose or legal obligation for. If your organization does not retain obsolete personal data, requests for erasure may never need to be carried

5. How are we supposed to deal with requests for erasure in regard to personal data included in data backups and archives? Do we have to dig deep and delete the requested personal data from each backup instance?

Organizations backup their system data in case data is accidentally or purposefully destroyed. Because backups are rarely accessed, either after an incident or during backup recovery testing, access to backups may be limited to administrators and key business continuity and disaster recovery plan players. The lawful basis for continuing to process backup data could fall under legitimate interests of the organization to recover their systems and data in the event of a natural disaster or security incident. Some organizations have easy access to the data they store in backup instances, even on a granular level. If these organizations can easily delete individual subject data from backups without undue hardship, they will be required to fulfill erasure requests. In other cases where, for example, backup tapes are stored at an off-site location and are securely overwritten, organizations may have a difficult time complying with an erasure request – instead, they may ensure that access is tightly controlled and data is destroyed in accordance with a documented data retention policy. Every organization, every record, and every processing activity will require a case-by-case assessment. The key here with the right to erasure is to focus on what your rationale as an organization would be if you stood in front of a regulator or judge in court. Would your organization be able to justify that you made the effort to handle data subject requests to the best of your organization’s ability and resource capacity? Understanding your limitations and being transparent with your organization’s due diligence to adhere to the right to erasure will put your organization in a solid position.

Final Words . . .

Like most of the other requirements in the GDPR, the right to erasure will vary from organization to organization, and it is crucial for organizations to know where they stand regarding their retention requirements, how capable they are of effectively responding to erasure requests, and any exceptions to erasure that may apply to a particular situation. When in doubt, reach out to a supervisory authority, legal counsel with GDPR experience, or external privacy practitioners with GDPR expertise to address questions you may have in order to put your organization in the best position to effectively tackle the right to erasure.

In coming weeks, we’ll be bringing you more posts about GDPR, but in the meantime, feel free to download the following ebooks prepared by Schellman & Company for information and guidance:

We also invite you to have a look at Threat Stack’s intrusion detection platform or sign up for a demo today.

About Schellman & Company, LLC.

Schellman & Company, LLC is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Quali­fied Security Assessor, an ISO Certifi­cation Body, HITRUST Assessor, and a FedRAMP 3PAO. We are a trusted provider to the world’s leading companies, from the Fortune 1000 and publicly traded companies, to privately held entities of all sizes. Our service delivery model allows for optimum quality and client experience for organizations of every size and complexity. We are setting the pace and blazing new trails. We are the only company in the world capable of providing our clients the rare opportunity to achieve multiple compliance objectives through a single independent assessor — using experienced teams dedicated to delivering the highest quality.

See Threat Stack in Action

Get in touch for a demo of Threat Stack's comprehensive instrusion detection platform.

Book Your Demo