Right to Be Forgotten – 3 Steps to Not Forget

Did you know that under GDPR your organization will be subject to the ‘Right to Be Forgotten’? 
And nope, this doesn’t mean that the regulator can forget about you.

On the contrary, when enforcement of the General Data Protection Regulation (GDPR) begins on May 25, 2018, any person located in the European Union – anyone residing in the EU, not just EU citizens – can request their personal information be removed from corporate databases in a timely fashion, or know the reason why it can't.

So, if your company handles any European personal data, whether you're inside or outside of the European Union, you are subject to the General Data Protection Regulation and to the ‘Right to Erasure’, also known as ‘Right to Be Forgotten’.

Right to Be Forgotten – When It Applies & When It Doesn’t

The new regulation means that companies are required to delete or ‘forget’ personal data related to an individual upon request. However, the right to erasure does not provide an absolute ‘Right to Be Forgotten’.

According to Article 17 of the GDPR, individuals have a right to have personal data erased and to prevent processing in specific circumstances:

• The data is no longer necessary for its intended use. If the personal data was collected for one thing, but used for another, the data must be erased upon request.
• Consent for the use of the data is withdrawn by the data subject. Another stipulation on this point is that the data must also have no other legal reasons for being processed.
• The data was processed unlawfully; for example, data used without consent.
• Certain lawful obligations for European Union Members and States require erasure.
• Personal data of minors is only lawfully obtained and processed with the consent of that minor’s parents.

Organizations don’t always have to comply with an individual’s request for erasure. Remember that the 'Right to Be Forgotten' isn’t an absolute right. A company can refuse to comply with a request for erasure when the personal data is processed for the following reasons:

• The exercise or defense of legal claims.
• For public health reasons in the public interest.
• Archiving purposes in the public interest, including statistical purposes, scientific research or historical research.
• To exercise the right of freedom of expression and information.
• To comply with a legal obligation for an exercise of official authority or performance of a public interest task.

3 Steps to Get Ready

To avoid forgetting about the ‘Right to Be Forgotten’, here are 3 steps that any organization can take:

1. Organize your data
   It's your responsibility to know where your data is, even if you outsource data storage to a cloud provider. Map your data flows and build a clear picture of where the GDPR data is going and who it is going to. When the need arises, finding the information to erase will be much faster and easier.
2. Set processes & polices
   It’s a fact, human error is the root cause of most data breaches. People can make mistakes, for example by storing the information in the wrong place and putting data beyond the control of your IT department. To reduce risks, you must understand how your employees handle information, and set processes and associated policies.
3. Get the right tools for the job
   Solutions are available to look up for data and determine their location – either on laptops, servers or cloud sites. Yet, to comply with the ‘Right to Be Forgotten’ you must rely on a powerful and trusted wiping solution to permanently delete data remanence, the small traces of information remaining even after standard deletion.

What’s Data Remanence & How to Say Goodbye Forever

Do you recall the movie ‘Eternal Sunshine of the Spotless Mind’? You can erase someone from your mind, but getting them out of your heart is another story. While your mind might forget, your heart will always remember.

Residual data known as Data Remanence, works in a similar way. When ‘deleting’ a file, it appears to be gone from memory. However, the contents of the ‘deleted’ file continues to exist deeper inside the system.

To comply with the ‘Right to Be Forgotten’, data must be deleted completely.
Here are the capabilities to look for when selecting a data erasure tool:

• Remove beyond forensic recovery techniques
  Files and remanence must be wiped from all hidden places including directory slack, file slack, NTFS logs, and MFTs. In case you get hacked, you wouldn’t want hackers to restore any previously ‘deleted’ files with a basic recovery tool.
• Remotely wipe data
  What if the data you need to remove is on Donatello’s computer, and on Michelangelo’s computer, and on Leonardo’s computer? Manually wiping the data at each computer will take you an entire day. A remote wiping utility will ensure speed and peace on mind in just one-click.
• Create detailed wiping reports
  Reports must be delivered in certain instances. Not only are there requirements for data reporting in the GDPR, but reporting can greatly help during any audits.

Right to Be Forgotten – Comply with BCWipe

Jetico provides pure and simple wiping software for National Security, Compliance and Personal Privacy. Trusted for over 10 years by the U.S. Department of Defense, Jetico's BCWipe can wipe selected files beyond forensic recovery, delivering full GDPR compliance with confidence.

Enterprise Edition of BCWipe includes Jetico Central Manager for client software control. For auditing purposes, admins can also run and retrieve wiping reports.

Get started now!
Request a free trial
Contact us for a free consultation

Related Articles

Does GDPR Require Encryption?
Navigating NIS2: Ensuring Compliance through Encryption
NIS2 Requirements for Basic Cyber Hygiene Practices & Data Sanitization