The “right to be forgotten”, or right to erasure, is the right afforded to data subjects to demand the erasure of their personal data from any systems. Organisations are obligated to take reasonable steps to remove the data without undue delay (and at the latest within one month of receiving the request) or risk having stiff penalties imposed upon them. It is one of the most well-known and debated elements of the General Data Protection Regulation (GDPR), stated in Article 17 of this new EU legislation.
To delve further, data subjects have the right to obtain erasure when one of the following requirements apply:
However, there are exceptions that would allow organisations to keep the data and overrule the right to erasure, if processing is necessary:
While erasure of data sounds like a simple request, implementing it in today’s sprawled data ecosystem is a complex endeavour to say the least. Every organisation will have different ways of storing data and make use of different technologies, so they will require a case by case assessment. But by and large, the regulation and its different elements are about ensuring that individual personal data is well-protected, and organisations are doing everything in their power to best serve the rights of the data subjects.