SUMMARY: The GDPR Right to Be Forgotten requires organizations to securely delete personal data when a valid request is made or when the information is no longer needed. This guide explains when erasure is mandatory, when exemptions apply and how data remanence can undermine standard deletion. You will also learn three steps to prepare your organization and how BCWipe permanently removes sensitive data and provides detailed wiping reports to support GDPR compliance.
Did you know that under GDPR your organization will be subject to the ‘Right to Be Forgotten’?
And nope, this doesn’t mean that the regulator can forget about you.
On the contrary, when enforcement of the General Data Protection Regulation (GDPR) begins on May 25, 2018, any person located in the European Union – anyone residing in the EU, not just EU citizens – can request their personal information be removed from corporate databases in a timely fashion, or know the reason why it can’t.
So, if your company handles any European personal data, whether you’re inside or outside of the European Union, you are subject to the General Data Protection Regulation and to the ‘Right to Erasure’, also known as ‘Right to Be Forgotten’.
Right to Be Forgotten – When It Applies & When It Doesn’t
The new regulation means that companies are required to delete or ‘forget’ personal data related to an individual upon request. However, the right to erasure does not provide an absolute ‘Right to Be Forgotten’.
According to Article 17 of the GDPR, individuals have a right to have personal data erased and to prevent processing in specific circumstances:
- The data is no longer necessary for its intended use. If the personal data was collected for one thing, but used for another, the data must be erased upon request.
- Consent for the use of the data is withdrawn by the data subject. Another stipulation on this point is that the data must also have no other legal reasons for being processed.
- The data was processed unlawfully; for example, data used without consent.
- Certain lawful obligations for European Union Members and States require erasure.
- Personal data of minors is only lawfully obtained and processed with the consent of that minor’s parents.
Organizations don’t always have to comply with an individual’s request for erasure. Remember that the ‘Right to Be Forgotten’ isn’t an absolute right. A company can refuse to comply with a request for erasure when the personal data is processed for the following reasons:
- The exercise or defense of legal claims.
- For public health reasons in the public interest.
- Archiving purposes in the public interest, including statistical purposes, scientific research or historical research.
- To exercise the right of freedom of expression and information.
- To comply with a legal obligation for an exercise of official authority or performance of a public interest task.
Preparing Your Organization for GDPR Erasure Requests
To avoid forgetting about the ‘Right to Be Forgotten’, here are 3 steps that any organization can take:
Step 1: Organize & Map Your Data
It’s your responsibility to know where your data is, even if you outsource data storage to a cloud provider. Map your data flows and build a clear picture of where the GDPR data is going and who it is going to. When the need arises, finding the information to erase will be much faster and easier.
Step 2: Establish Processes & Policies
It’s a fact, human error is the root cause of most data breaches. People can make mistakes, for example by storing the information in the wrong place and putting data beyond the control of your IT department. To reduce risks, you must understand how your employees handle information, and set processes and associated policies.
Step 3: Use Trusted Data Erasure Tools
Solutions are available to look up for data and determine their location – either on laptops, servers or cloud sites. Yet, to comply with the ‘Right to Be Forgotten’ you must rely on a powerful and trusted wiping solution to permanently delete data remanence, the small traces of information remaining even after standard deletion.
What’s Data Remanence & How to Say Goodbye Forever
Do you recall the movie ‘Eternal Sunshine of the Spotless Mind’? You can erase someone from your mind, but getting them out of your heart is another story. While your mind might forget, your heart will always remember.
Residual data known as Data Remanence, works in a similar way. When ‘deleting’ a file, it appears to be gone from memory. However, the contents of the ‘deleted’ file continues to exist deeper inside the system.
To comply with the ‘Right to Be Forgotten’, data must be deleted completely.
Here are the capabilities to look for when selecting a data erasure tool:
- Remove beyond forensic recovery techniques
Files and remanence must be wiped from all hidden places including directory slack, file slack, NTFS logs, and MFTs. In case you get hacked, you wouldn’t want hackers to restore any previously ‘deleted’ files with a basic recovery tool. - Remotely wipe data
What if the data you need to remove is on Donatello’s computer, and on Michelangelo’s computer, and on Leonardo’s computer? Manually wiping the data at each computer will take you an entire day. A remote wiping utility will ensure speed and peace on mind in just one-click. - Create detailed wiping reports
Reports must be delivered in certain instances. Not only are there requirements for data reporting in the GDPR, but reporting can greatly help during any audits.
Right to Be Forgotten – Comply with BCWipe
Jetico provides pure and simple wiping software for National Security, Compliance and Personal Privacy. Trusted for over 10 years by the U.S. Department of Defense, Jetico’s BCWipe can wipe selected files beyond forensic recovery, delivering full GDPR compliance with confidence.
Enterprise Edition of BCWipe includes Jetico Central Manager for client software control. For auditing purposes, admins can also run and retrieve wiping reports.
Get started now!
Request a free trial
Contact us for a free consultation
Frequently Asked Questions (FAQs)
The GDPR requires organizations to erase personal data when an individual requests it, provided certain conditions are met such as the data no longer being needed, consent being withdrawn or the information being processed unlawfully. Organizations must respond promptly and explain when an exemption prevents erasure.
The right is not absolute. Erasure may be refused when data is needed for legal claims, research, public interest, public health purposes or to meet a legal obligation. In these situations, organizations must clearly justify the refusal to the requester.
Begin by mapping where personal data resides across devices, servers, cloud platforms and third-party systems. Set internal processes to avoid misplaced files and ensure staff know where data must be stored. Finally, adopt a reliable wiping method to remove data fully, including hidden remnants.
Normal deletion only removes file references, leaving behind data remanence that can be recovered with common recovery tools. GDPR requires erasure that is permanent and beyond forensic recovery, including wiping hidden areas such as file slack, directory slack, NTFS logs and MFT records.
BCWipe securely wipes selected files and all related data remanence on active systems, making it suitable for targeted erasure requests. For organizations managing many workstations, BCWipe Enterprise Edition adds centralized control and detailed wiping reports for audits. When combined with Jetico’s data discovery and classification capabilities, teams can quickly locate where personal data resides, identify duplicates, and ensure all required items are erased fully and consistently.
Related Articles
Does GDPR Require Encryption?
Navigating NIS2: Ensuring Compliance through Encryption
NIS2 Requirements for Basic Cyber Hygiene Practices & Data Sanitization