cumplimiento derecho supresion

How to comply with the Right to Erasure of personal data?

The growing use and storage of data at companies has led to a series of associated rights and obligations. The Right to Erasure is among these, guaranteeing greater control for citizens over their data within the structure of a database of any organisation.

What is the Right to Erasure and how to efficiently comply with the Data Protection Law in information systems efficiently? We share all the key aspects.

What is the Right to Erasure? 

It is the right to prevent the dissemination of personal information through the Internet when its publication does not meet the requirements of adequacy and relevance provided for in the regulations.

How does it affect companies in production applications?

The Right to Erasure directly affects companies, which are required to guarantee compliance with this obligation, and which may be fined for non-compliance. 

It is therefore vital to achieve what is known as data governance; that is, to be aware of the data possessed and to apply the necessary blocking and deletion in accordance with the law.

Nevertheless, this has entailed an important step for many companies. In 2019, the majority of companies surveyed claimed to be in “reasonable compliance” with GDPR obligations. The outlook has moved on today, but data governance remains a challenge for many companies.

But what exactly are the obligations of companies to comply with the Right to Erasure?

In essence, companies must: 

  • Monitor when the reason for retaining a person’s data ceases (whether a former client, former employee or former supplier, etc.). The conditions vary depending on the type of data and the reasons for which the data was stored in the first place. Additionally, the operation is complicated, taking into account that the identification criteria of individuals may vary over time, and that the information may be held in more than one database.
  • Start the blocking period. This period is generated to guarantee access to the data only in exceptional cases (for example, to respond to claims or administrative proceedings). Nevertheless, the privacy of data for any other use must be guaranteed.
  • After the blocking period, the data must be deleted definitively.

icaria GDPR - how does it help companies?

The automation of the operations described above is essential for companies to ensure compliance with the Right to Erasure.

In this context icaria GDPR appears,  the solution from icaria Technology for blocking and deletion of personal data in production environments. 

Thanks to this platform, companies can access data governance more effectively, covering the whole process in data structures. 

Being compatible with more popular databases, icaria GDPR allows: 

  • Correct identification of the persons to which the rule applies. To do so, it maps the location of sensitive data, which can be applied to different platforms.
  • For efficient blocking period management, it creates external repositories. 
  • Progress given innovations (ability to manage more types of data, new applications, etc.). 

Cancellation and blocking of data

icaria GDPR facilitates the management of the blocking period and final deletion of the data structured through the following facilities:

  • A powerful search engine and identifier which applies even in scattered databases or those which use varied technologies.
  • Identification may be carried out internally or externally and automatically or manually, depending on different usage scenarios.
  • Two blocking possibilities which adapt to different scenarios. Firstly, data masking maintains the information in the database, but makes the data unidentifiable. Additionally, the physical deletion of data is managed when this is the most appropriate option.
  • Possibility of secure access to personal data during the blocking period. Due to being stored in an external repository, it is possible to respond to legal or administrative requirements. The repository, being independent from the original applications, guarantees that this secure access will be possible even when the original applications for the structure of a database evolve or disappear. Afterwards, deletion will be managed when it is also necessary in this repository.

Ultimately, it is about generating a life cycle management for each seed or structure of the information of each person, facilitating the extraction, storage, dissociation, restoration and deletion of the data when applicable.

Right to Erasure and Right to be Forgotten

The Right to Erasure and the Right to be Forgotten, despite being closely related, are two different concepts. 

Firstly, we have defined the Right to Erasure as the right to a person’s data being deleted and cancelled, and in general applies to the databases of companies and other organisations.

Secondly, the Right to be Forgotten is one of the key manifestations of this Right to Erasure: it is the right of citizens for their personal data left untraceable on the internet, and therefore mainly applies to search engines (such as Google).

This Right to be Forgotten applies to information which is now obsolete or which is of no public relevance or interest. Thus, search engines are obliged to remove this data from their pages of results when they are linked to the name of a person. 

Right to Erasure in management applications

Companies' management applications compile and store personal data which, like other data, may be subject to the Right to Erasure. 

Email addresses, telephone numbers, age, DNI identity numbers, bank data, etc. are just some of the data which may be stored in this context.

Their management, blocking and subsequent deletion entail another of the obligations that companies must fulfil to be aligned with the legislation. Again, automation through tools such as icaria GDPR facilitates this task.

Do you want to know more about the Right to Erasure of data on information systems and how to apply it at your company? Request a demo of icaria GDPR and discover what this platform can do to help your business comply with the law on data protection.