What you need to know about the right to be forgotten
So, you’ve heard that the EU General Data Protection Regulation has introduced something called the “right to be forgotten”. But what does this mean? Do you have to delete your existing suppression files? How does the right to be forgotten affect your business?
How does the right to be forgotten work in principle?
The right to be forgotten is also known as Data Erasure. It entitles the data subject (you as a person) to have the data controller erase the personal data on file, stop further dissemination of the data, and have third parties stop processing of the data. The data controller must also take reasonable steps to inform all parties in the supply chain who are processing the subject’s personal data about the erasure.
But, unsubscribing or opting out from marketing communications is different from the right to be forgotten. In the case of an individual no longer wanting to receive direct marketing communications, an organisation should keep their personal data information as long as necessary in an ‘unsubscribe’ file. This way, you make sure all parties in the supply chain are aware this person no longer wishes to be contacted.
The right to be forgotten does not mean that you have to delete your existing suppression files. It is still important that you do not contact the people that have asked you not to get in touch. However, it is a separate requirement. Therefore, even if a customer has exercised the right to be forgotten, organisations will still be able to retain customer information to contact them about safety or product recall concerns.
For more answers on GDPR questions, read the common questions answered in the back of our “What the EU GDPR Changes Mean For You” whitepaper.
If you’re looking for further advice, why not check out our GDPR checklist to make sure you’re compliant post May 2018?