How do I Respond to a Right to be Forgotten Request?

Overview

This article is intended to be used as a guide to how to respond to a Right of Erasure / Right to be Forgotten Request.

These guidance materials should not be taken as a substitute for legal advice, but we hope they will provide a useful point of reference.

This article covers:

What is a Right to be Forgotten Request?

The Right to be Forgotten / "Right to Erasure" / is a user right included within most Data Privacy legislation (Article 17 in GDPR), which allows a data subject (a person) to request that all of their Personal information that is being held on them is permanently erased. This could be combined with a Right of Access Request

Step 1 - Ensure you have a designated person(s) to process Right to be Forgotten Requests

It’s best to ensure that all Right to be Forgotten Requests are only dealt by a nominated person(s) in your organisation. This can help to prevent any inadvertent data loss following employees responding personally and inappropriately to a Right to be Forgotten request.

The Right to be Forgotten in Invenias uses a separate new User Permission. To limit the potentially destructive nature of this ability it's best to ensure that only Users who require this ability have this permission. 

Step 2 - Confirm the identity of the Data Subject Submitting the Request

To avoid potential data loss, the identity of the data subject who raised the request must be confirmed before proceeding with the request. The existence of this right may lead to malicious individuals trying to assume the identity of a data subject and submit a request. We would advise to take sensible measures to confirm the identify the person submitting the request. 

Step 3 - Validate the Request is Lawful

Once you are confident that you have confirmed the identity of the Data subject and you are dealing with a genuine request from a data subject you are holding and processing data on, the next step is to validate that you are able to comply with the request. The legislation in your jurisdiction will likely list acceptable reasons for complying with a Right to Be Forgotten Request and any exceptions. You may need to take legal advice to ensure that you are able to process the request.

Step 4 - Process the Request in Invenias

Search for, locate and open the Person Record for the data subject making the request then open the Data Privacy settings by clicking the Shield icon in the Header of the Record Header:

Click Right to be Forgotten:

Permission Required: Please note that Right to be Forgotten requires the User Permission "Delete a Person using the Right To be Forgotten".

You will be prompted twice to confirm you wish to progress, after checking the confirmation boxes and confirming, the record will be closed and deleted. 

The information contained in the Record will be removed from your database.

Minimal unique identifiers will be added to a non-visible, deletion table for the purposes of future de-duplication to avoid re-population of any records which were previously deleted under the Right to be Forgotten. 

Invenias plan on updating the de-duplication process when creating new Records at a future point, at which time these unique identifiers will be referenced to prevent a user from re-populating the database. 

In-addition to the information stored in Invenias, where possible you should also take steps to check for data held in other systems you are using. E.g. Sharepoint, Office 365 Email. 

Step 5 - Confirm with the Data subject that their Request has been Completed

Many of our customers maintain a simple record of Requests and your response to them i.e. Completed, rejected, date etc in a Document saved to your Data Privacy Record. This provides a means of demonstrating your compliance with these requests. You may therefore wish to consider keeping a very basic record of the RTBF request in an Excel Spreadsheet format, saved to the central Data Privacy record. Capturing the date the request was sent, the date the identity was confirmed, when the request was completed, along with any supporting notes to provide an audit log for compliance against this aspect of the legislation.