Table of Contents
As a business owner, you may receive a request to erase data. The General Data Protection Regulation (GDPR) and Data Protection Act require your business to take reasonable steps when managing personal data. Any breach of their rules can result in a hefty fine (of up to £17.5m) from the Information Commissioner’s Office (ICO). Some businesses are starting to receive requests for data erasure from individuals (otherwise known as ‘the right to be forgotten’). This article will explore situations where your business may need to delete personal information in response to an erasure request. Knowing this should help your business stay on the right side of the ICO and avoid financial penalties.
What is Data Erasure?
Data erasure occurs when an organisation deletes some of the personal information it holds on a specific individual. The right to erasure only applies in limited circumstances, so your business must determine whether to grant requests. Outside of media (and social media) organisations, most companies will likely receive requests for erasure from staff or customers.
When Should My Company Grant a Request for Erasure?
The ICO has published online guidance setting out scenarios in which an organisation should consider deleting personal data. Some noteworthy examples include where:
- information is held further to an individual’s consent, and they later withdraw that consent;
- your business uses the personal information for direct marketing purposes, and the individual later objects to that data use;
- your business is under a legal obligation to do so (for example, the GDPR requires personal data deletion further to any evidence that the personal information is inaccurate or out-of-date);
- your company later judges itself to have handled the personal information unlawfully; or
- the personal data is no longer necessary for its original purpose.
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
Exemptions
However, there are some exemptions against personal data erasure. This includes situations where your:
- business is processing an individual’s personal data to comply with a legal obligation;
- company needs to keep that information to bring or defend against a legal claim; and
- organisation wishes to store the information to assist freedom of expression and information.
If these exemptions apply, your organisation can deny the erasure request.
Example
Let us say that an employee left your company one month ago and has sent an email asking for the erasure of all their personal data. However, your organisation still needs to hold onto salary and payment details as part of its duty to HMRC and can refuse to delete salary-related information. Similarly, your company needs to keep a record of employment for record-keeping purposes and to respond to future reference requests.
Additionally, your company may have a professional indemnity policy which requires your business to retain employee records following their departure. Often, these apply to guard the business against Employment Tribunal or Personal Injury claims.
Reasons for Refusal
If no exemptions apply, there is still a chance that your company could safely deny an erasure request. This is the case if the request is:
- manifestly unfounded; or
- excessive.
Both phrases have different meanings, so let us explore them further below.
Manifestly Unfounded
The phrase manifestly unfounded primarily covers two types of situations. The first is where an individual has no real intention to exercise their right to erasure (for example, they request deletion of data but, in the same email, offer to drop the request in exchange for money). The second scenario involves the request for erasure as a malicious attempt to harass an organisation. For example, sending several weekly requests to hassle workers and cause business disruption.
Excessive
The word excessive describes a situation in which the individual sends multiple requests for erasure that overlap with previous requests or simply repeat previously denied requests.
If your organisation refuses a data erasure request, it should confirm this to the individual in writing within one month of the request. Your correspondence should confirm why it has declined the request and the individual’s ability to complain to the ICO.
Example
Let us say that an employee left your organisation two months ago because their favourite manager retired and they dislike the new manager. You are aware that the new manager made every effort with the individual but to no avail. The individual now sends an email every working day requesting the deletion of a different piece of data, with each email saying that the requests will stop if the company pays them £5,000.
Key Takeaways
Requests for data erasure are often unpopular with business owners. This is mainly due to their time-consuming nature and the inability to charge a fee (except in certain circumstances where the request is manifestly unfounded or excessive). In any event, your business should notify the individual whether the data erasure request is accepted or rejected within one month of the request.
If you need help deciding whether to approve or reject a data erasure request, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
Frequently Asked Questions
Because the ICO believes it is in the public interest for businesses in England to prioritise valid requests and avoid undue delay. They believe setting such a short timeframe means that organisations must consider the matter swiftly.
Your business is only permitted to spend more than one month considering a request if it is complex. The ICO sets a high bar when considering whether a request is complex enough to justify an extension of time. In any event, you must notify the individual of the extension of time within one month.
We appreciate your feedback – your submission has been successfully received.