Small businesses & the GDPR Right to Erasure
Please note this information is now out of date - please refer to the ICO for up-to-date GDPR information.
How small businesses can implement the GDPR Right to Erasure
Your customers now have the right to erasure, also known as the right to be forgotten. This means they can ask for you to remove all personal data you store about them. This request can be made by any means: written, email or verbally and you need to have the capability to do this within one month of any request.
Individuals have the right to have their personal data erased if:
- you are relying on consent as your lawful basis for using their data, and the individual withdraws that consent;
- the personal data is no longer necessary for the purpose which you originally collected or processed it for;
- you are processing the personal data for direct marketing purposes and the individual objects to that processing.
You should always attempt to verify the identity of the person making the request before proceeding - typically by having them state the full name, address, postcode and perhaps other details in the customer record before deletion.
There is no provision within the GDPR to charge a fee for this action, presumably because it can only be carried out once per customer, so is less open to abuse, such as repeated requests.
The GDPR specifies two circumstances where you need to tell other organisations (third parties) about the erasure of a customer's data:
- the personal data has been disclosed to others; or
- the personal data has been made public in an online environment (for example on social networks, forums or websites).
For example: if a customer consented to share their information with a third party for the purposes of marketing as they signed up for your service, but then emails you to withdraw that consent you must contact the third parties you shared that data with to inform them that the mutual customer has exercised their right to erasure.
What you need to do
Delete their customer record in your various systems, or, where this is not possible, over-write their record by typing "right to erasure exercised" over every field. If you passed customer data over to third-parties, such as payment providers or couriers you need to check their data retention policies. If there is any chance the third party is holding a copy of that customer's personal data you need to contact the party in question and inform them that the mutual customer has exercised their right to erasure.
Ideally
If you can justify the time/cost you could create a web form that allows people to leave their details and allows them to pick which of their GDPR rights they want to exercise. It should then email you all of that information for you to act on. You can see an example here.
Of course, if you have a system that your customer can log into just make sure there is a button to request an account deletion - your Privacy Policy could then reflect this, potentially saving you from the time lost in manually dealing with any Right of Erasure requests.
Further details about the Right to Erasure can be found on the ICO website here.