GDPR: The Right to Be Forgotten Explained

By Sam Thomas | 13th July 2017 | 14 min read

The UK is shortly to undergo the biggest change to its Data Protection laws in over twenty years. The introduction of the Global Data Protection Regulation 2018, brings with it new requirements for data controllers as well as aggressive fines for non-compliance.

One key aspect of the GDPR that has been causing a stir for a number of years, is the right to be forgotten.

The rise of the right to be forgotten isn’t exactly brand new,  sixteen years ago, a Spaniard named Mario Costeja Gonzalez had hit financial difficulties. To help solve his problems, a property he owned was put up for auction - the details of which were published online.

However, still years later when Mario’s name was searched online, one key event kept haunting him. As a result, he argued that it damaged his reputation, and should be removed from Google's search results. Subsequently, in 2014 Mario took his case to the European Union's Court of Justice after he failed to secure the deletion from Google.

The Luxembourg-based Court of Justice agreed with him, and in doing so set a major precedent over what is referred to as the "right to be forgotten". Ironically Costeja González was contending with 36 words of Spanish, after his success in court, 840 articles worldwide were written in reference to his case.

Since then, the right to be forgotten has become one of the main focal points in the development of the GDPR. So we have taken a look at the right to be forgotten in order to figure out the key principles.

According to the ICO, an individual has the right to request the deletion or removal of personal data when there is no compelling reason for its continued processing. The right to erasure doesn’t provide an absolute right to be forgotten, but data subjects have a right to have personal data erased and to prevent processing in following circumstances:

  • Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
  • When the individual withdraws consent
  • When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing
  • The personal data was unlawfully processed (i.e. otherwise in breach of the GDPR)
  • The personal data has to be erased in order to comply with a legal obligation

What’s Next for Your Business?

Whether this is the first you’ve heard of the GDPR or you’ve already started planning, it’s important to know where you stand and how well-placed your business is before May 2018.

To help with this, the legislation experts at IRIS are offering complimentary GDPR Health Checks to all businesses and GP practices looking to gain an understanding of how they will be affected, and what they can do to prepare.

The GDPR Health Checks are carried out over the phone at a time that suits you, book your free Health Check using the button below, simply enter your details and preferred callback time and we’ll be in touch to start your GDPR journey.