Back in 2009, a convicted German murderer applied to court for an order that Wikipedia remove reference to his conviction from its website. Five years later, a Spanish ex-bankrupt sought a court order requiring Google to remove reference to the case from its search results. These were the pre-cursors to the rights now enshrined in the GDPR, known formally as the right to erasure.
Definition under the DPA
There is no corresponding right under the DPA.
Definition under the GDPR
An individual has the right to require a data controller to erase personal data concerning him without undue delay where one of the following applies:
- the personal data is no longer necessary in relation to the purpose for which it was originally collected or processed
- the data controller was relying on the individual’s consent in order to process the personal data, and the individual has since withdrawn that consent
- the individual objects to the processing of the personal data, and the data controller has no overriding legitimate interests in continuing the processing
- the personal data is being unlawfully processed
- the personal data should be deleted to comply with any applicable law
What does the GDPR definition really mean?
It is not an unrestricted right to be forgotten, as it is exercisable only in limited circumstances. But if one of those circumstances apply, then the data controller is required (free-of-charge) to delete that personal data from its systems.
And where the data controller has made that personal data available to third parties, then the data controller must take reasonable steps to ensure those third parties also erase that personal data.
The individual does not have the right to be forgotten where:
- his/her personal data is being processed in accordance with a legal obligation
- the data controller is exercising its right to freedom of expression
- it is in the public interest to continue with the processing
- the processing is in relation to legal proceedings
- the personal data is simply being archived for scientific, statistical or research purposes
What are the significant differences between the DPA and the GDPR?
This right is entirely new, and has never before been tested in the UK courts.
What effect will this have on UK businesses?
It is expected that this part of the GDPR will attract considerable media coverage, and businesses can expect to receive a number of requests ‘to be forgotten’. Once again, businesses should ensure their data protection policy sets out a process for dealing with any requests.
Businesses will need to keep a record of where personal data is disclosed, otherwise businesses are not going to be able to comply with the obligation.
Due to the limited circumstances in which a business must comply with a request, it is unlikely to have any material impact in the long run – any data that needs to be destroyed is unlikely to be business-critical.
What will my business have to do in order to get ready for this change?
It will be important to ensure your business’s data protection policy sets out a comprehensive procedure for dealing with any requests. In addition, you should also retain detailed records of where any personal data is disclosed to third parties.
You should, upon receipt of a request, first identify whether any of those five circumstances apply. If they do not, then you can inform the individual why you will not be deleting his personal data.
But if one of them does apply, then you next consider whether one of the five exemptions applies. If they do, again, you can inform the individual why you will not be deleting his personal data.
And if one of the circumstances does apply, but none of the exemptions do, then you are require to delete all the relevant personal data, and take reasonable steps to ensure that any third party to whom you’ve disclosed that data also deletes it (hence the need to keep records when you disclose data to third parties). And then tell the individual what you’ve done.
So if I receive a request from somebody asking me to delete their personal data, I don’t necessarily have to do it?
No, not necessarily. First, consider whether any of the grounds in Article 17(1)(a) of the GDPR apply. If they don’t, then you don’t have to delete the data. Secondly, consider whether any of the exemptions in Article 17(3) of the GDPR apply. If they do, again, you don’t have to delete the data.
What if somebody asks me to delete personal data relating to somebody else?
The right only applies where a person asks for deletion of personal data concerning them, not where the data relates to anyone else.
How quickly do I need to act – do I have a month to reply?
No, you must respond ‘without undue delay’. There is no longstop date.
I’ve received a request from Miss Banks, but I’ve disclosed her details to dozens of other companies.
What do I need to do?
Assuming you’ve been through the process and confirmed that she does have the right of erasure, then you delete the personal data from your own systems, and take reasonable steps to inform all those other companies that she is exercising her right. You are entitled to consider the technical complexities and cost of liaising with those other companies but, ultimately, you must do everything you reasonably can to ask them to delete her personal data ‘without undue delay’.
But I don’t have a record of which companies I’ve disclosed Miss Banks’ data to…?
That’s potentially a problem. Under other sections of the GDPR, Miss Banks is entitled to be told to whom you’ve disclosed her personal data (or, at the very least, the categories of companies to which you’ve disclosed her personal data). It is essential that you keep written records of all outgoing disclosures of personal data from this point forward.
I’m involved in a bitter divorce battle – can I ask my wife’s solicitors to delete any personal data they have about me?
No, because none of the grounds in Article 17(1) of the GDPR will apply, so you cannot exercise the right in those circumstances.
- Data controller means the person/business who determines the purposes for which personal data will be processed, and the manner in which it will be processed.
- DPA means the Data Protection Act 1998, the statute that currently governs the processing of personal data in the UK.
- GDPR means the General Data Protection Regulation, the EU law that will come into force in the UK in May 2018 in place of the Data Protection Act 1998.
- Personal data means any data from which a living person can be identified.
- Process means to do just about anything with personal data, eg. collecting, recording, organising, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing, transmitting, erasing, destroying or otherwise making the data available to somebody else.
This briefing is based on the law as it stands in April 2017. It is possible (and, indeed, likely) that, before the GDPR comes into force in May 2018, the Information Commissioner’s Office will release a number of guidance notes that will help to interpret the GDPR. These guidance notes may offer additional advice for UK businesses, and may even cause some of the information in this briefing to become incorrect. As a result, this briefing does not amount to legal advice and is provided for information purposes only. It should not be regarded as a substitute for taking up-to-date legal advice.