GDPR Erasure: Client data is no longer a resource, it’s now a privilege

GDPR Erasure: Client data is no longer a resource, it’s now a privilege

Mark Dryden (pictured) is business development director at 360 Dotnet

The “Right to Erasure”, rather than being the opportunity to expose the works of Andy Bell and Vince Clarke in crowded public spaces, demonstrates the perception change of how all organisations should begin to treat client data.

Previously the concept of personal data would be couched in terms of “data the asset”, “data the potential” or “data the resource”, something that could be attributed a value or refined to extract such value. But with the General Data Protection Reform (GDPR) coming in May 2018 we need to reconsider the value of that data.

The right to erasure, the right to rectification and the right to data portability conceptually passes ownership from the organisation to the individual.

It’s a strange thing to get one’s head around but those attributes that make up personal data about ourselves, something we might have traditionally handed over without too much thought, now conveys a responsibility to the organisation who will retain it.

In the post GDPR world organisations almost have to embrace that it is a privilege to collect and process an individual’s data; a world where the individual understands how their data will be used and is comfortable within the confines and limitations of that processing.

But while rectification makes sense for both parties and portability recognises that individuals may want mobility it is the right to erasure that is the potential head scratcher.

Erasure, with its origins in search engine delisting, allows the individual to request the explicit removal of data on the assumption that the data held is no longer necessary, there is no continuing legitimate interest or consent is withdrawn.

As a tech and data-centric person this sends shivers down my spine.

Data is a precious commodity, not something to be discarded or at best scrambled to remove the identifiable elements.

Soft deleting (the method of hiding data within a system but having the ability to recover or undelete) is unlikely to be acceptable as this is still liable to be processed and / or held in some capacity.

Given the context of financial services and the liabilities placed on intermediaries the reality may likely be that organisations simply ignore such requests, falling back to the FCA’s default minimum retention periods for legitimate processing and even longer depending on any risks identified.

The right to erasure illustrates the data rights of the individual and the consideration that an organisation must give to collecting and storing personal data.

It also highlights there’s nuance required when dealing with GDPR requests.

If the organisation is storing some basic information about an individual, an erasure request might be quite appropriate and easily actionable – but if any advice / guidance has been provided or the interaction implies liability then the organisation or compliance function may fall back on legitimate interests to reconsider the request.

Put another way, we should consider the justification of collecting, processing and storing an individual’s data, but that must be tempered with the legitimate reasons for having that data at the time it was collected and into the future. “A little respect” if you will…