There are less than 90 days until the European Union’s General Data Protection Regulation (GDPR), which governs the collection, use, storage and disclosure of any personal data of individuals in the EU, goes into effect. U.S.-based organizations that do business with the EU — or even have a web presence to market their products to customers in the EU — must make sure their current procedures for handling the personal data of individuals in the EU are in line with GDPR rules.
According to a recent survey by my company, Sage, a provider of cloud-based business tools, 84 percent of U.S. companies don’t understand what the GDPR means for their business and 91 percent currently lack awareness of the GDPR. Further, 74 percent of U.S. companies surveyed are not confident that, or don’t know whether, their organizations will be compliant with the new GDPR requirements by May 25 — the EU’s deadline for 100 percent compliance.
Those numbers are alarming, considering the penalties for organizations that don’t adhere to the new rules.
In addition to the risk of suffering damage to their reputations, organizations that fail to comply could face fines as high as 20 million euros (approximately $24 million) or 4 percent of annual global turnover (whichever amount ends up being higher). They also could face class-action lawsuits. Indeed, failure to comply with the GDPR could prove to be detrimental to the bottom lines of companies with EU business dealings, and smaller businesses could be hit especially hard.
Regardless of how far along they are with their GDPR preparations, when May 25 arrives, companies will be required to respect and accommodate the rights that individual employees and customers are granted under the GDPR, including the right to request erasure of their data.
What does that mean for businesses with EU ambitions?
Related Article: Mastering Customer Consent in Advance of the GDPR
The Right to Erasure, Explained
According to Article 17 of the GDPR, if an individual demands the “erasure of personal data concerning him or her,” a company will be obligated to erase that personal data “without undue delay.” However, the “right to erasure” (or the “right to be forgotten” as it is sometimes called) does not mean that a person has the absolute right to be forgotten. In fact, according to Article 17, the right to erasure only applies under the following conditions:
- The personal data is no longer necessary in relation to the purposes for which it was originally collected or otherwise processed.
- The data subject withdraws the consent on which the processing was based and there is no other legal ground for continuing the processing. (To learn more about legal grounds for processing see GDPR Article 6.)
- The data subject objects to the processing and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing for the purposes of direct marketing. (To learn more about the right to object, see GDPR Article 21.)
- The personal data has been unlawfully processed.
- The personal data has to be erased for compliance with a legal obligation to which the company is subject.
However, while the GDPR is known for championing the rights of the individual, there are a few exceptions around the right to erasure that give businesses a bit of wiggle room. It’s important to note that companies do not have to comply with an individual’s right to be forgotten under the following conditions:
- The company is exercising its right of freedom of expression and information.
- The company is under a legal obligation to retain the personal data.
- The company needs the individual’s information to carry out a task that is in the public interest.
- The data is required in the interest of public health.
- The company is archiving the individual’s personal information for the public interest, for scientific or historical research, or for statistical purposes.
- The personal data is needed for the establishment, exercise or defense of legal claims.
Related Article: How Marketers Can Prepare for the GDPR
How to Address the Right to Erasure
Between the right to erasure and all the other requirements outlined in the GDPR, making sure enterprises are fully compliant is an intimidating task, one that falls on data-minded employees throughout an organization. So if yours is one of the 91 percent of businesses in the U.S. that currently lack awareness of the GDPR, it’s important to have a game plan.
A great starting point is conducting a thorough, companywide data audit. Further, it’s worth considering an audit from both legal and technological standpoints to cover all bases.
Companies need to determine what data they have, why they have it and what they use if for. It is crucial for enterprises to review their methods of collecting personal data and their data processing systems so they can be sure that they are in line with the GDPR’s requirements. It’s equally important to think about how outdated and irrelevant data will be disposed of, and how to safeguard the critical information that is still needed.
How will your company handle requests for erasure? For example, if a former employee asks what personal information your company still has about him and then requests that the company delete the information, you need to have a system in place for responding to that request.
In addition to drawing up a clear road map about how to respond to requests for erasure, make sure you educate all employees about the right to erasure, and about your plan for addressing such requests. At Sage, we have introduced a comprehensive GDPR training program to teach our employees the basics of data protection law, to help them understand the nature and importance of personal data.
I believe that the main goal of every company operating in the EU should be to swiftly — and thoroughly — teach employees how to recognize and respond to requests, and how to carry out the erasure of personal data. I see two reasons for that: Every company needs information to work, and the GDPR’s requirements will reinforce that the integrity of personal data is paramount.