What MSPs ABSOLUTELY need to know about the ‘right to be forgotten’

One of the staples of the GDPR is the fabled ‘right to be forgotten’. It may sound like a cheesy tagline from the depths of Hollywood, but the right ‘to be forgotten’ is actually one of the most vital aspects of the new EU data protection laws. In short, companies won’t stand a chance of meeting requirements of the GDPR if they fail to understand what it means to ‘forget’ an EU citizen. So in this blog post, we will provide you with an in depth introduction to the ‘right to be forgotten’ and why MSPs need to prepare for this vital piece of legislation.

The right to be erased

The right to be forgotten is also known as the ‘right to erasure’. The concept of erasure may actually provide a much better visual understanding of what the principle entails. EU citizens have the right to request deletion or removal of their personal data. They don’t have to put forth any particular reasons to substantiate their request. If there is no compelling reason for a company to process personal data, they have to delete it immediately.

Stop for a second and think of the consequences. We have already explained the massive scope of personal data in relation to the GDPR. Pretty much any given piece of data that treats an individual is considered to be personal. Imagine what a laborious task it may be to erase just one person from your files. You can almost hear the sound of data managers heads pop all over the continent.

No absolute right

It may provide some relief that EU citizens aren’t granted absolute ‘right to be forgotten’. But then you consider the circumstances that are required to ask for erasure. And suddenly it feels kind of absolute. They are as follows:

• Where the personal data is no longer necessary in relation to the purpose for which it was originally collected.

•When the individual withdraws consent.

•When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.

•The personal data was unlawfully processed.

•The personal data has to be erased in order to comply with a legal obligation.

•The personal data is processed in relation to the offer of information society services to a child.

The ‘right to be forgotten’ from the GDPR represents a radical change compared to the Data Protection Act from 1998. Under the DPA, the right to erasure was reserved to instances where the processing of personal data causes substantial damage or distress to the data subject. There is no such threshold in the GDPR.

When an EU citizen asks for erasure, it is almost a given that companies and organisations have to provide it.

Three highlights:

– The ‘right to be forgotten’ is also known as ‘the right to erasure’.

– The ‘right to be forgotten’ is not absolute. But considering the circumstances it won’t be difficult for EU citizens to ask for it.

– Under the Data Protection Act from 1998, individuals had to scale a much higher threshold to be forgotten than under the GDPR.