December 22, 2022

A growing number of consumer privacy laws have provided individuals the ability to control the data that companies collect about them. While data privacy requirements vary from one regulation to the next, one of the common provisions, the right to be forgotten, allows consumers to request that their data be deleted. 

The right to be forgotten mandate adds another layer of complexity to enterprise data governance and compliance activities. In this guide, we discuss some typical data deletion requirements and what they mean for organizational compliance. 

What Is the Right to Be Forgotten?

As is the case with many consumer privacy mandates, the European Union’s General Data Protection Rule (GDPR) set the stage for the right to be forgotten, also known as the “right to erasure.” The concept itself predates GDPR and was reaffirmed as a legal right through prior legal cases, but GDPR established the model for privacy rights in the digital age. 

In Article 17, GDPR states that “the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay.” But, as the European Commission explains, “the right to be forgotten is much more complicated than an individual simply requesting that an organization erase their personal data.” That means entities must only comply if certain conditions apply (we will review these in the next section). 

Here are some examples of other privacy regulations that have adapted the concept from the GDPR: 

  • California Consumer Privacy Act (CCPA) —individuals can request that a business delete any personal information that it has collected from the consumer.  
  • Brazil’s General Data Protection Law (Lei Geral de Proteção de Dados or LGPD) — includes the right to delete personal data processed with the consent of the data subject. 
  • Thailand’s Personal Data Protection Act (PDPA) — includes the right to have the data erased or destroyed. 

When Is the Right to Be Forgotten Applicable?

Each regulation has different requirements for when the right to be forgotten provision applies. To illustrate some of those differences, we’ll compare the GDPR to the CCPA. 

Right to Be Forgotten Under GDPR 

GDPR’s requirements for data erasure are very specific. Instances when the right to be forgotten applies include:

  • Personal data no longer necessary — the purpose for which the data was collected no longer exists or the necessary processing is complete. 
  • Withdrawn consent — the person who previously provided consent to process certain data has withdrawn it. 
  • Objection on personal grounds — an individual objects to having data processed on grounds related to a personal situation, and the collecting organization doesn’t have legitimate reasons to override those circumstances. 
  • Objection to marketing data — the collecting organization is processing the data for direct marketing purposes and the person objects to the processing. 
  • Legal ruling — there’s a legal obligation under another law, either by the EU or a member state. 
  • Child’s personal data — the data was collected for the purpose of providing what’s called information society services (e.g., e-commerce or cultural activities) directly to a child. 

Right to Deletion Under CCPA

CCPA’s provision is broader. It only states that businesses need to delete the personal information they collect from consumers, and direct their service providers to do the same. 

Both CCPA and GDPR — as well as other privacy laws — also have a variety of exceptions. In the case of CCPA, exceptions include reasons such as conducting research in the public interest and using the data to detect or resolve security issues. 

When Does an Organization’s Right to Process Data Override an Individual’s Right to Be Forgotten? 

GDPR’s Article 17 states that the right to be forgotten doesn’t apply when the data processing is necessary for specific purposes, even if the data subject objects to the processing. These exceptions may include: 

  • Freedom of expression and information — individual member states are responsible for national laws that reconcile what this exception means. 
  • Legal ruling or obligation — affects circumstances when the controller has no option because carrying out the data processing is required by law. 
  • Health care and public health — the right of erasure doesn’t apply in various circumstances related to health, including public health and preventative or occupational medicine. 
  • Public interest and research objectives — provides an exemption when the data is necessary for “archiving purposes in the public interest, scientific or historical research purposes or statistical purposes” and deletion would halt such activities. 
  • Legal defense — this exemption allows organizations to refuse the request when the data is necessary for establishing or defending legal claims. 

Maintaining Compliance with Right to Be Forgotten Requests

Although the precise steps and mechanics for complying with each request will vary based on which privacy law applies, organizations need established processes for identifying and retrieving the personal information. One place to start is by creating a governance policy that covers aspects such as data inventory, classification, and labeling. 

To comply with right to be forgotten requests, organizations must also understand: 

  • What kind of personal information they collect and process 
  • Where their sensitive data resides (both structured and unstructured) 
  • Who should have access to the data and how 

Additionally, compliance steps should include a process for verifying the requester’s identity, establishing the validity of the request, and communicating the procedures to the requester. 

Secure Unstructured Data

A large portion of your organization’s data lives in unstructured files, and often these documents are stored in the cloud or file-sharing apps. This creates blind spots that put the organization at risk for noncompliance with data privacy laws. Consider tools that both give you visibility across your on-premise and cloud systems, and automate various steps and processes to streamline compliance and meet prescribed timelines.  

SailPoint’s File Access Manager allows the enterprise to quickly control access to sensitive data, providing complete visibility into what kind of data the organization has, where it resides, who can access it, and more. Learn how SailPoint can help your organization extend governance controls to data stored in files. 

Take control of your cloud platform.

Learn more about SailPoint Identity Security.

Schedule a Demo