Right to Be Forgotten – 3 Steps to Not Forget

21 Jan 2018 | Michael Waksman

Did you know that under GDPR your organization will be subject to the ‘Right to Be Forgotten’? 
And nope, this doesn’t mean that the regulator can forget about you.

On the contrary, when enforcement of the General Data Protection Regulation (GDPR) begins on May 25, 2018, any person located in the European Union anyone residing in the EU, not just EU citizens  can request their personal information be removed from corporate databases in a timely fashion, or know the reason why it can't.

So, if your company handles any European personal data, whether you're inside or outside of the European Union, you are subject to the General Data Protection Regulation and to the ‘Right to Erasure’, also known as ‘Right to Be Forgotten’.

Right to Be Forgotten  When It Applies & When It Doesn’t

The new regulation means that companies are required to delete or ‘forget’ personal data related to an individual upon request. However, the right to erasure does not provide an absolute ‘Right to Be Forgotten’.

According to Article 17 of the GDPR, individuals have a right to have personal data erased and to prevent processing in specific circumstances:

  • The data is no longer necessary for its intended use. If the personal data was collected for one thing, but used for another, the data must be erased upon request.
  • Consent for the use of the data is withdrawn by the data subject. Another stipulation on this point is that the data must also have no other legal reasons for being processed.
  • The data was processed unlawfully; for example, data used without consent.
  • Certain lawful obligations for European Union Members and States require erasure.
  • Personal data of minors is only lawfully obtained and processed with the consent of that minor’s parents.

Organizations don’t always have to comply with an individual’s request for erasure. Remember that the 'Right to Be Forgotten' isn’t an absolute right. A company can refuse to comply with a request for erasure when the personal data is processed for the following reasons:

  • The exercise or defense of legal claims.
  • For public health reasons in the public interest.
  • Archiving purposes in the public interest, including statistical purposes, scientific research or historical research.
  • To exercise the right of freedom of expression and information.
  • To comply with a legal obligation for an exercise of official authority or performance of a public interest task.

3 Steps to Get Ready

To avoid forgetting about the ‘Right to Be Forgotten’, here are 3 steps that any organization can take:

  1. Organize your data
    It's your responsibility to know where your data is, even if you outsource data storage to a cloud provider. Map your data flows and build a clear picture of where the GDPR data is going and who it is going to. When the need arises, finding the information to erase will be much faster and easier.
  2. Set processes & polices
    It’s a fact, human error is the root cause of most data breaches. People can make mistakes, for example by storing the information in the wrong place and putting data beyond the control of your IT department. To reduce risks, you must understand how your employees handle information, and set processes and associated policies.
  3. Get the right tools for the job
    Solutions are available to look up for data and determine their location  either on laptops, servers or cloud sites. Yet, to comply with the ‘Right to Be Forgotten’ you must rely on a powerful and trusted wiping solution to permanently delete data remanence, the small traces of information remaining even after standard deletion.

What’s Data Remanence & How to Say Goodbye Forever

Do you recall the movie ‘Eternal Sunshine of the Spotless Mind’? You can erase someone from your mind, but getting them out of your heart is another story. While your mind might forget, your heart will always remember.

Residual data known as Data Remanence, works in a similar way. When ‘deleting’ a file, it appears to be gone from memory. However, the contents of the ‘deleted’ file continues to exist deeper inside the system.

To comply with the ‘Right to Be Forgotten’, data must be deleted completely.
Here are the capabilities to look for when selecting a data erasure tool:

  • Remove beyond forensic recovery techniques
    Files and remanence must be wiped from all hidden places including directory slack, file slack, NTFS logs, and MFTs. In case you get hacked, you wouldn’t want hackers to restore any previously ‘deleted’ files with a basic recovery tool.
  • Remotely wipe data
    What if the data you need to remove is on Donatello’s computer, and on Michelangelo’s computer, and on Leonardo’s computer? Manually wiping the data at each computer will take you an entire day. A remote wiping utility will ensure speed and peace on mind in just one-click.
  • Create detailed wiping reports
    Reports must be delivered in certain instances. Not only are there requirements for data reporting in the GDPR, but reporting can greatly help during any audits.

Right to Be Forgotten  Comply with BCWipe

Jetico provides pure and simple wiping software for National Security, Compliance and Personal Privacy. Trusted for over 10 years by the U.S. Department of Defense, Jetico's BCWipe can wipe selected files beyond forensic recovery, delivering full GDPR compliance with confidence.

Enterprise Edition of BCWipe includes Jetico Central Manager for client software control. For auditing purposes, admins can also run and retrieve wiping reports.

Get started now!
Request a free trial
Contact us for a free consultation


Related Articles

Does GDPR Require Encryption?
Navigating NIS2: Ensuring Compliance through Encryption

Michael Waksman Jetico CEO bio image
Michael Waksman

Michael Waksman has been serving as CEO of Jetico since 2011, more than doubling the size of the company during his tenure. He brings more than 20 years of communications, technology and leadership experience.

At Jetico, Waksman has lead creation of the corporate identity, raising global brand awareness, building a more commercially-driven team and initiating enterprise customer relations. Jetico has maintained a wide user base throughout the U.S. Defense community, in the global compliance market and for personal privacy.

Waksman served as vice-chairman of the Cyber Group for the Association of Finnish Defense and Aerospace Industries. Recognized as a security and privacy advocate, he is a frequent speaker at international events, occasionally on behalf of the Finnish cyber security industry. In 2012, Waksman was honored with The Security Network's Chairman's Award for fostering collaboration between the United States and Finland. As dual citizen, he is a native New Yorker and has been living in the Helsinki region for over 15 years.

View all blog posts

Thank you for contacting Jetico!
We will respond to you as soon as possible.

Send us a message - we'll reply within 24 business hours.

Need help now? Call Us
US: 202 742 2901 EU: +358 50 339 6388