In the sixth of a series of posts on the General Data Protection Regulation (GDPR), which comes into force from May 25th, 2018, I’m looking at what GDPR has to say about the right to be forgotten (RTBF) and data portability.
Here’s what you need to know:
What is RTBF?
RTBF stands for the right to be forgotten, as enshrined in law by a 2014 case that said Google – upon a person’s request – must remove links to webpages that appear when searching for that person’s name. GDPR is now widening this right, meaning that you must erase personal data “without undue delay” if the data is no longer needed, if the data subject objects to the processing, or if the processing was unlawful.
What is data portability?
In a nutshell, this area of GDPR means you must, on request, send to a person data you have collected on them through automatic means – e.g. names, contact details and preferences you hold for marketing purposes. GDPR also requires this to be in an easily readable format and you may even be required to send all information to a competitor, if requested by the data subject.
Actioning these rights must be made easy
GDPR seeks to put power and accessibility in the hands of the consumer, so you must be responsive to user requests concerning their data. To facilitate this, you must provide “modalities” that people can use to exercise their rights, such as user interfaces and customer support services.
GDPR does, however, acknowledge the risk of fraudulent requests, stating that further information can be requested if there are “reasonable doubts” over identity. You may also refuse to act on a request if you are “not in a position to identify the data subject.”
• You must honour the right to be forgotten on request
• You must provide all data you hold on a person on request
• You must make it easy for people to action these rights