Along with a number of other changes to the rules governing how sensitive data is stored, GDPR implementation in May of 2018 also brings one of the most talked-about clauses; ‘the right to be forgotten’.

Under article 17 of the EU GDPR (the General Data Protection Regulation), the Right to Erasure, also called the Right to Be Forgotten, means that any individual within the EU can ask a company or organisation to delete all personal data from that organisation. The purpose is for consumers to be able to maintain better control of their personal details, and to limit the amount of data stored passed its usefulness. It’s also set up to help protect individuals from having their private information processed unlawfully, either fraudulently or otherwise without their consent.

In many respects, this clause is good for businesses. Frequently, after the end of a transaction, PCI and PII information is simply stored somewhere in the company, often forgotten about, and contributes to the volume of data vulnerable to breaches and hacks. Just because an organisation is done with the data, doesn’t mean it won’t be considered valuable to hackers or data thieves. Knowing where all sensitive data ends up, is the first step to avoiding costly and brand damaging situations.

The Right to Erasure does have some limitations, and it’s important to know where these are. It is also important to note that article 17 does not mean a total erasure of all record, just of specific data types within an organisation. Where this can get a little tricky, however, is that if any of that data was shared with any third parties, then your organisation is required to inform each of those parties of the request.


Under article 17, there are two major distinctions. The most straightforward function and the one most companies will be concerned about, is an individual’s request requiring an organisation to search and remove their sensitive data. The second function is a slightly more complex issue, whereby information made public by entities other than the individual concerned, is not deleted from the primary source, but an effort is made to remove the result from the person’s name. In situations dealing with video content, or newspaper articles, for example, it would be difficult, if not impossible to remove all traces from a search engine, but steps could be taken to ensure that searching for a person’s names would not bring up the offending results. As ‘the right to be forgotten’ becomes a key phrase in the run up to GDPR, the impact on workflow is a key concern for many companies.

If the information in question directly relates to an ongoing transaction, is public knowledge,  is a part of legal proceedings, or could be reasonably argued to provide a public benefit (such as scientific, historical, or public health records) then your organisation might have reasonable grounds to refuse. Likewise, if the request in any way compromises freedom of expression, or freedom of information, then your organisation is not required to go through with the request

For most organisations, however, if an EU citizen submits a request for erasure, it will be a matter of finding their sensitive data and deleting it from wherever it has been stored in your network. This makes it imperative that every company begin by knowing exactly where this information is hiding. Under GDPR, it’s no longer enough to guess at sensitive data types and locations, or to push the difficulty of unseen data caches off, in favour of more pressing daily concerns; monitoring sensitive data has become crucial to business success.

For more information on GDPR, visit our GDPR Compliance Guide.

Want to keep up with all our blog posts? Subscribe to our newsletter!