On May 25, 2018, the EU General Data Protection Regulation (GDPR) came into effect throughout Europe, and any global business that handles information from EU citizens and residents must prove compliance.
One significant update in this regulation is the expanded definition of personal data. Understanding what constitutes personal data is key to defining the scope of the data being handled by an organization.
Personal Data is defined information that relates to a natural person; the person is identified or made identifiable, directly or indirectly, by reference to an entity such as a name, ID number, location data or other unique identifier.
Once you understand what personal data is, it’s important to then recognize what is meant by data processing and who oversees this responsibility.
Controller – the entity (person or organization) that determines the purposes and means of the processing of personal data.
Processor – the entity that processes personal data on behalf of the controller.
Processing – any operation performed on any piece of personal data, automated or not, including (but not limited to) collection, recording, organization, structuring, storage, retrieval, transmission, dissemination and erasure or destruction.
It should be noted that when a controller selects a processor to process data, he/she must agree to a binding contract ensuring that the same level of data protection is offered as stipulated by the regulation. This in effect means that the controller will not bear the full brunt of sanctions (previously the case), should a processor be liable for breaking the law.
The Right to Data Erasure
The right to erasure (also referred to as the ‘right to be forgotten’) extends the long-standing requirement that the Data Protection Directive contains—the right consumers have to request that their data or physical information be disposed of effectively and responsibly. The GDPR expands this right (and supersedes the Directive) to include data that lives on the internet. Consumers can request that they can “be forgotten” from the public view in specific circumstances.
The Right to Erasure Applies When:
- An individual withdraws consent
- An individual objects to the processing, and there is no overriding legitimate interest for continuing the processing
- An individual’s personal data was unlawfully processed
- An individual’s personal data is processed in relation to the offer of information security services to a minor
Under the existing Data Protection Directive, the right to erasure is limited to processing that causes substantial and unwarranted distress or damage. This is not true under the GDPR; however, if such distress or damage is in place, the case for erasure will likely be that much stronger. There are some specific instances in which the right to erasure does not apply, and organizations can refuse to deal with a request.
Organizations Can Refuse to Comply with a Request for Erasure When Personal Data is Processed for the Following Reasons:
- The exercise or defense of legal claims
- For public health reasons in the public interest
- Archiving purposes in the public interest, including statistical purposes, scientific research or historical research
- To exercise the right of freedom of expression and information
- To comply with a legal obligation for an exercise of official authority or performance of a public interest task
To continue reading, download the PDF above.