Individuals have specific rights under the GDPR, one of which is the 'Right to be Forgotten' which is simple in theory, but perhaps more complicated in practice - how will this work?
For consumers, there is a paradox at the heart of the differences between the right to be forgotten and the right to erasure.
If, as a consumer, you ask a business for your details to be erased, then this is easy. The business erases everything, leaving no record of that person.
It means that in the future that business can renew its relationship with the consumer.
The right to be forgotten is more complex. It means the business retails a small amount of information - enough to recognise a specific person - and uses that to make sure a person is consistently forgotten (unless the consumer changes their mind).
Therefore, the right to be forgotten needs to be understood in terms of suppression. You keep a little information in order to properly forget.
In some cases it will be important to share that suppression file across your supply chain so every business along it also properly forgets that person. For this to happen the suppression file will need to be kept in a consistent and coherent manner.
In such cases it will be the responsibility of the Data Controller (usually this mean the brand) to take reasonable steps to tell the other parties in the supply chain. Part of this process will be to understand the technologies used throughout that supply chain and costs associated with making such requests.
With the GDPR on the horizon, it is important you and your business are ready for the upcoming changes in the law. The IDM offers a portfolio of GDPR training courses and qualifications with DMA guided and approved content, from overview to expert level.