The right to be forgotten has perhaps become one of the most widely publicised elements of the new General Data Protection Regulations (GDPR), which becomes enforceable from May 2018.
As many media outlets have reported, a consequence of this particular article means that people will be able to force social media giants like Facebook to delete embarrassing posts under new data protection legislation.
The ‘right to be forgotten’, or ‘the right to erasure’ as it’s more formally referred to, explains the circumstances in which a data controller would be obliged to erase relevant personal data. As well as other criteria for data erasure, the article gives the data subject the right to ‘request the deletion or removal of personal data, where there is no compelling reason for its continued processing.’
When must I erase data?
Article 17 of the GDPR outlines the following circumstances in which a data controller is obliged to erase data:
- Data is no longer necessary for the purpose for which it was originally collected
- The data subject withdraws their consent
- The data was unlawfully processed
- Data has to be removed in order for compliance with other relevant laws
- Data has been unlawfully collected on children/minors without parental consent
In short, if you’re finished with the data, the subject asks you to erase it, or it was illegal for you to collect in the first instance, you should erase the data ‘without undue delay’.
The article also outlines certain exceptions, such as data that is protected by freedom of speech principles and data that is in the public interest.
Equally, there may be cases for retaining data, such as data used for marketing purposes; does it need to be deleted or can it be suppressed?
- Deletion is the complete removal of any data you have about the data subjects for any of the reasons given above
- Suppression may occur when data is not deleted, but it is also not used for any future activity such as marketing
You may need to keep details if you work with young people, for example. In this case, the retention of data could be needed for safety purposes to retain parental details.
What if I’m not the only one with the data?
The GDPR also requires that data controllers should take ‘reasonable steps to inform other controllers also processing the data, of the subject’s wish for the data to be erased.’
In summary, if you as a controller are required to erase data, you should take reasonable steps to inform other controllers who are also processing the same data, that it is to be erased.
This will have an effect on data sharing between producers, promoters, touring organisations and venues. However, this is not a reason not to share data, just make sure you extend your own data protection processes across data sharing relationships.
For more information about the right to be forgotten, consult this comprehensive article which goes into further specifics about the potential situations and their exceptions. If you want to know more about other aspects of the GDPR that you should be aware of, consult the other guides in our ongoing series, or contact Culture Republic for friendly help and advice.