GDPR: The Right to be Forgotten

On Monday, Google updated their Right to be Forgotten policy… For those that are unaware – under European legislation you are able to ask Google to remove certain pages which contain information about you or your business from its public search results.

The Right to be Forgotten also plays a big role in the upcoming General Data Protection Regulation (GDPR) which will come into play from 25th May 2018. Here it is known as the ‘right of erasure’.

As a business, this part of the GDPR posed a number of questions for us. As with Google, a user can approach an organisation and ask that they remove data that is held about them. Our initial thought was that in doing so would create many problems on the accountancy side – would we have to anonymise invoice data, client profiles, etc?

Recictal 65 of the GDPR details the particular situations where the right to erasure applies:

• Where the personal data is no longer needed to achieve the purposes for which it was collected or processed
• Where a data subject has withdrawn his or her consent
• Where a data subject objects to the processing of his/her personal data
• Where the data subject has given his or her consent as a child and is not fully aware of the risks involved by the processing, and later wants to remove such personal data, especially on the internet,
• Where the processing of personal data does not otherwise comply with the GDPR.

—————————————–

Thankfully, the GDPR’s right of erasure does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent processing in specific circumstances as above, however where data provides part of a contract, it is ok to keep records of finance, etc.

Whilst the GDPR will require certain policies and procedures updating, the necessity to maintain certain records shall largely remain unchanged…