Right to be Forgotten (RTBF) derives from a famous court case against Google in which a Spanish person requested to get his PII removed from Google search. EU decided to formally encode Right To Be Forgotten in the General Data Protection Regulation (GDPR). On the first day of compliance in Spain in 2014, Google received 12000 requests to remove PII from search results.
Right to be Forgotten is the most onerous requests to comply with within GDPR & CCPA because it requires bringing together three key elements:
In this blog we lay out the rights of consumers under RTBF, the obligations of the enterprise, where enterprises are not obligated to delete data, and steps enterprises go through to execute RTBF.
Under GDPR’s clause for RTBF, an enterprise needs to delete PII in the following scenarios:
Consumers have the right to ask enterprises to delete their data provided their request meets criteria. And under GDPR and CCPA, a customer has a right to get a response within 30 days, or under certain conditions 90 days, for a right to be forgotten request. Within this period, the Enterprise needs to delete user data from their systems, and also contact 3rd party recipients to remove the said data. If an enterprise does not delete data, it has to inform the user with a reason explaining why it is not deleting the data.
Enterprises have many obligations under the RTBF under both GDPR and CCPA. They are supposed to:
Though RTBF imposes many obligations on an enterprise, there are several conditions under which an enterprise is exempted from taking action on a RTBF request. Regardless, an enterprise must inform the user as to why action was not taken on some requests. Here are some of the most common exceptions:
Carrying out the obligatory steps under RTBF is somewhat complicated even within a medium sized enterprise. Enterprise data is a continuously evolving, expanding, with data residing in applications, environments, documents, emails, chat rooms, in-house storage, and in the cloud. Given this situation, the first and most critical step is having Data Awareness – i.e. to identify PII, classify and contextualize the PII data. Ideally, this should be done before a subject submits a request for erasure. Here are the key steps an enterprise must do to fulfill an RTBF request.
Enterprises have many responsibilities under Right to be Forgotten because RTBF goes much further than other GDPR and CCPA mandates such as Right to Know, Right to Opt-Out and Right to Portability. A systematic approach involving Data Awareness, Data Analysis and Data Administration will make implementation of RTBF requests easier and less expensive to fulfill.
Have you ever considered the invisible barriers that exist within your organization? With so much data flowing in more places...
Note: this article has been updated and refreshed as of 12/10/23 As the cybersecurity landscape evolves in scope and complexity,...
Not long ago, the term data privacy was considered a buzzword. Today, data privacy has moved to the forefront of...
This article originally appeared in Campus Security and Life Safety magazine. It’s clear that ransomware attacks are on the rise,...
Ransomware is a particularly heartless endeavor: criminals have targeted schools, vital infrastructure, and even patient records at a psychiatric treatment...
Almost every IT project must, at some point, run the financial justification gauntlet. Even initiatives with broad organizational support, like...
Libero nibh at ultrices torquent litora dictum porta info [email protected]
Start connecting your payment with Switch App.