Under the new Regulation all Data Subjects have the right to be forgotten under certain circumstances.
- Data collected previously that is no longer relevant (for instance data collected when the Data Subject was a child)
- Data collected unlawfully
- Where the Data Subject has withdrawn permission for their data to be used
The Data Controller must wherever possible ensure that all references to the data are erased – these include any public places ( for instance on the internet); any other people the data has been sold to and any back ups held by the company.
The second requirement when the name has been published on the internet may not be possible at all because of the increasing number of archive database which now proliferate.
Perhaps the most worrying will be removing data from back-ups, since archived data is often not searchable and may be held on tape which doesn’t lend itself to individual record deletion.
Whatever happens, the Data Controller must be able to show both the Data Subject and the Data Authority what steps have been taken to remove that data.
But this leads us to another problem….
Lets say Subject A wants to be forgotten and as a company we comply with the steps required – but six months later we purchase a list from another company and Subject A’s name is on there. How do we ensure we don’t load him into files for prospect marketing ?
We obviously can’t keep their name on an internal list for suppression – so what happens next?