Table of Contents
Your UK business no doubt handles personal information daily. This personal data will belong to staff, customers, suppliers or third parties (all known as data subjects). Regardless of the individual’s identity, the General Data Protection Regulation (GDPR) requires your organisation to handle personal data safely and proportionately. This article will explore situations where your business may be expected to delete personal data.
What is the General Data Protection Regulation?
The GDPR is an essential piece of UK law and sets out the main data protection rules for UK organisations. The primary purpose of the GDPR is to ensure UK businesses obtain, store and responsibly handle personal information.
Unbeknownst to some business owners, responsible handling of personal information can include its deletion. This can surprise some businesses as, for many, secure data handling focuses solely on safe storage. However, as we will see below, it may be harmful not to delete personal information in certain circumstances.
Why Should I Be Aware of the ICO?
Businesses should prioritise GDPR compliance due to the enforcement powers of the Information Commissioner’s Office (ICO).
Continue reading this article below the formCall 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
When is it Safe to Delete Personal Information?
The starting point for UK businesses is whether the relevant personal data remains ‘necessary in relation to the purpose for which it was collected or processed’. This is particularly relevant when considering deleting personal information absent a specific request from the relevant individual.
So, if the information is out-of-date or inaccurate, you should delete or replace it. Naturally, you may not always know if your information is incorrect. However, if your business suspects that personal data is outdated, it can follow any of the following steps:
- reach out to the individual to check whether personal data remains accurate; and
- if the individual confirms it is inaccurate, ask them to provide relevant replacement information.
The other question is whether the information remains ‘relevant’ or not. This is because irrelevant personal data will be deemed unnecessary concerning its initial purpose under GDPR rules. As such, it is your responsibility to delete this information.
For example, if your business sent a card to a former employee five years ago during a period in which they were trying to move house, that information is now irrelevant. This is because:
- it may no longer be their address; and
- they are no longer an employee.
Deleting Out-of-Date or Irrelevant Personal Information
The easiest way to ensure you remove unnecessary data is to perform regular data audits. Ideally, you should complete this at least annually.
A data protection audit usually includes reviewing personal information regarding its relevance and accuracy. Some audit methods involve setting a score for each piece of information. Following this, you delete any information scoring below a certain threshold.
The essential rule is to ensure that every decision to delete information is made by a human rather than being automatically done by a computer system (which, in some circumstances, may be unlawful). Accordingly, your business may use a computer AI program to rate personal information for relevance and then have an individual on potential deletion using those scores.
Notably, the GDPR is keen to ensure that humans, who can account for mitigating circumstances, make important decisions regarding data management, not machines.
What Should My Company Do When Individuals Make Deletion Requests?
The GDPR allows individuals to formally request data deletion. This is also known as a ‘request for erasure’. Your business is legally obligated to consider a deletion request and take reasonable steps to consider its contents.
Suppose the request comes from an ongoing customer who receives regular postal deliveries (and will continue to do so under a continuous subscription). In that case, any request for data deletion will not include their postal address and contact details. However, it can consist of records as to previous postal addresses or telephone numbers or email addresses not used in recent years.
Naturally, more weight is given to a request for deletion, so a company should send the written reasons for any decision to avoid deleting the individual’s data without delay. Your company can ask for additional information if you need clarification on what the individual wants to achieve with their data deletion request.
Key Takeaways
Deleting personal information is an important topic, given that it can include all kinds of data from a person’s name, contact details, health condition or employment history. Deciding whether to delete or retain personal data can be a grey area, and because of this, many business owners obtain expert legal advice when making these decisions. Naturally, it is crucial to ensure a lawful basis for any deletion and be aware of the specific circumstances in which you can avoid deletion.
If you need help ensuring the safe deletion of personal information, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
Frequently Asked Questions
The usual reasons for wishing to delete personal information are concerns about the organisation’s security or a personal decision not to use that business again. However, technically, the reason for the request is likely to have little relevance in the eyes of the ICO.
The Brexit process will not necessarily involve all EU-derived laws being scrapped. In fact, the UK Government has confirmed that it has no plans to drop the GDPR.
We appreciate your feedback – your submission has been successfully received.