What Is GDPR Article 17 (Right to Erasure) and 4 Ways to Achieve Compliance

GDPR Article 17, also known as the “Right to Erasure” or the “Right to be Forgotten,” is a section within the European Union’s General Data Protection Regularion (GDPR), allowing individuals to request the deletion of their personal data from an organization’s database. This right is an integral part of GDPR, which aims to give individuals greater control over their personal data. 

The right to erasure empowers individuals to ensure that their personal data is no longer processed and, in some cases, dictates that the data should be completely removed from all records, including third-party data processors.

Article 17 is not an absolute right but can be exercised under specific conditions. Examples of grounds that warrant erasure include situations where the data is no longer necessary for the purposes it was collected or if the individual withdraws consent and no other legitimate grounds exist to justify the data processing.

For your reference, here is the opening text of GDPR Article 17:

“The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;

(c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);

(d) the personal data have been unlawfully processed;

(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

(f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).”

Learn more about the impact of AI in cyber security: AI Cyber Security: Securing AI Systems Against Cyber Threats.

Understanding the Right to Erasure (Right to be Forgotten) 

Grounds for Erasure

Individuals can request the erasure of personal data under several conditions. One significant ground is when data is no longer needed for the original purpose of collection. Over time, the relevance of specific data points diminishes, making their retention unnecessary and potentially risky from a privacy perspective. Another valid ground is if an individual withdraws consent on which the data processing is based, and no other legal grounds justify continued processing.

Other conditions include scenarios where data has been unlawfully processed or if it must be deleted to comply with a legal obligation. Additionally, if an individual objects to the processing and there are no overriding legitimate grounds to continue, data controllers must honor the request for erasure. These criteria ensure that data processing remains purposeful and legally justified, protecting the individual’s privacy rights.

Controller’s Responsibilities for Public Data

Data controllers have specific responsibilities when personal data is publicly disclosed. Upon receiving an erasure request, controllers must not only delete the data from their own systems but also take reasonable steps to inform other controllers processing the data of the erasure request. This significantly broadens the scope of the right to erasure.

However, this responsibility to extend erasure to third parties is balanced with a “reasonableness” test. Controllers need to weigh the feasibility and effort required to contact each third party. In practice, this often involves a case-by-case assessment to determine the extent of measures taken.

Exceptions to the Right to Erasure

While the right to erasure is powerful, there are notable exceptions. Organizations are not required to delete data if it is needed to fulfill a legal obligation, such as complying with tax laws or regulatory requirements. 

Additionally, the right does not apply if the data is necessary for public interest tasks or the exercise of official authority, ensuring that crucial societal functions are not disrupted. Another important exception is the defense of legal claims. Data must be retained if it is essential for legal proceedings or to establish, exercise, or defend a legal right.

Best Practices to Ensure Compliance with GDPR Article 17 

1. Understand and Document Data Processing Activities

Organizations should prioritize understanding and documenting all data processing activities to ensure compliance with Article 17. This entails creating an exhaustive inventory of all collected data and identifying the reasons for its collection and the legal basis for its processing. A well-documented data map not only helps in managing erasure requests efficiently but also improves overall data governance.

Effective documentation involves categorizing data based on sensitivity, retention periods, and associated risks. Regular audits should be conducted to update these records consistently. By implementing a systematic approach to record-keeping, organizations can quickly determine whether specific data needs to be erased, thus ensuring compliance with erasure requests in a timely manner.

2. Implement Clear Data Erasure Policies

Clear and well-defined data erasure policies are vital for compliance with Article 17. These policies must outline specific steps for processing erasure requests, including verifying the identity of the requester and determining the legitimacy of the request. Detailed guidelines ensure every request is handled promptly and correctly, avoiding errors or delays that could lead to non-compliance.

Organizations should also set up standardized procedures for systematically training employees on data erasure protocols. This can involve regular workshops and e-learning modules to keep staff updated on the latest regulatory requirements and internal policies.

3. Facilitate Easy and Transparent Erasure Requests

Facilitating easy and transparent erasure requests is crucial for compliance. Organizations should offer straightforward and accessible methods for data subjects to submit their requests. This might include online forms, dedicated email addresses, or customer service hotlines specifically for handling data protection queries.

Transparency in communicating the status of erasure requests is equally important. Continuous updates on the progress of their requests can foster trust and demonstrate an organization’s commitment to GDPR compliance. Clear communication prevents misunderstandings and ensures individuals are aware of what steps are being taken to address their requests.

4. Monitor and Audit Compliance

Organizations should conduct periodic reviews of their data protection policies and practices. This includes checking that erasure requests are handled within the stipulated time frames and that all data subject rights are respected. Audits help identify any gaps or weaknesses in the process, allowing for timely corrective actions.

Establishing key performance indicators (KPIs) related to data erasure can drive continuous improvement. Metrics such as the number of erasure requests received, the time taken to process them, and any incidents of non-compliance can provide valuable insights, which organizations can use to refine data handling procedures.

GDPR Compliance with Exabeam

Exabeam helps organizations meet both the technological and operational requirements of GDPR including:

• External Threat Reduction: Exabeam works alongside existing security solutions, using machine learning and behavioral analytics to identify unusual activity that may be indicative of an adversary’s attempt to find and access data. Exabeam threat timelines combine events from anomalies and correlation rules to group events by user or device. 
• Internal Threat Reduction: Exabeam works alongside identity and access management solutions to prevent security incidents resulting from the accidental or malicious abuse of allocated permissions. By flagging activity that falls outside the norm for a given user, Exabeam helps to detect potential incidents that could lead to data theft. Ideal log sources mapped to use cases and the MITRE ATT&CK^Ⓡ framework show which tools in the security arsenal can combine to show the clearest picture of events.

Visualization and Dashboards: Exabeam offers clear compliance-based GDPR Dashboards for easy download, export, or emailing regularly in support of GDPR mandates and the needs of the data privacy officer.