The EU General Data Protection Regulation (GDPR) is now fully in effect. To support this, we’ve created a GDPR series of blogs and briefings outlining the Regulation, its key impacts and the steps required to meet your legal obligations.

The ‘Right to Be Forgotten’ and the ‘Right to Restriction’

One of the most significant aspects of the GDPR is the right to be forgotten. Individuals have the right to request the erasure of their personal data where there is no legal basis for retaining it. This applies not only to data your organisation holds but also to any data being processed on your behalf by third parties or data processors.

In addition, under the right to restriction, individuals can contest the accuracy of their personal data. While the dispute is being investigated, that data must be removed or restricted from processing.

It’s important to note that the right to be forgotten is not absolute. Employers and organisations may refuse erasure requests where the data is being processed for specific purposes, including:

• Exercising freedom of expression and information
• Compliance with a legal obligation or for tasks in the public interest
• Public health purposes
• Archiving, scientific or historical research, or statistical purposes
• The establishment, exercise, or defence of legal claims

At the heart of the GDPR is the requirement that personal data may only be collected and processed under strict conditions and for legitimate purposes. The regulation also mandates:

• Prompt notification of data breaches to both affected individuals and the relevant supervisory authority (e.g., the Data Protection Commissioner)
• The erasure of personal data where consent has been withdrawn and no other legal basis applies
• Action to inform any third parties processing that data on your behalf
• Procedures to manage and document compliance with individual rights
• All businesses must ensure they have robust policies and systems in place to handle data erasure and restriction requests.
• Organisations are required to maintain detailed records of processing activities.
• Embedding data protection principles into business processes (“privacy by design”)
• Conducting Data Protection Impact Assessments (DPIAs) where processing is likely to result in high risks to individuals’ rights and freedoms. This includes profiling, large-scale processing of special category data, or large-scale monitoring of public places

Failing to comply with the GDPR can result in substantial financial penalties – up to €20 million or 4% of global annual turnover.

In addition to regulatory fines, individuals now have the right to claim non-material damages, such as emotional distress or reputational damage.