One of the key new rights under the General Data Protection Regulation (GDPR) is that EU citizens have a right to “erasure of personal data concerning him or her without undue delay”.
What this means in practice is that any customer whose data you hold has a right to contact you and request that their personal information be safely and securely erased and you must comply in a reasonable time.
While there are some cases where you can refuse, there must be some sort of legislative basis – for instance, where you need to store the information in order to comply with the law of the land for matters of taxation, law enforcement, social security or employment law etc – but for the most part you have to comply with the request.
The GDPR lays out the instances where companies will be legally obliged (from May 2018) to securely delete data, including where:
* the information is no longer necessary for the purposes for which it was collected
* the information was not collected with the explicit, informed consent of the data subject
* the information has been unlawfully processed
The core principle of the issue is that, as long as there are no legal reasons why you should hold onto the person's information, then you must delete personal information once “the data subject withdraws consent on which the processing is based”.
It is important to remember that the data always remains the property of the person who it relates to, and that it can only be used with their expressed permission and only for the reason they gave the permission. So if someone gives you their contact details in relation to a purchase, it doesn't mean you can send them emails, special offers or newsletters without them expressly giving you their permission.
Safely and securely destroying someone's details can be more difficult than many organisations might think, both in terms of destroying the electronic data securely but also keeping track of all physical records (for instance a printed out list of contact details) and being able to destroy all copies of personal data, in whatever form it is stored.
The DataSec 2017 conference takes place on 3rd of May in the RDS in Dublin.
The event will provide expert speakers, information and insight to help your business comply with GDPR and get the most out of the new legislation. Click here to book your place now.