Editor’s Note: This is the first of a two-part series on the Right to be Forgotten, also known as the Right to Erasure. Part two will focus on how marketers can solve GDPR complexities, and forestall issues by establishing a consent-based relationship with the customer.
Marketers tend to think of the right to be forgotten primarily in the context of the General Data Privacy Regulation (GDPR), the sweeping data privacy regulation that dictates how organizations that operate in the European Union (EU) or with customers in EU process, hold, and treat personal data. The concept of the right to be forgotten, however, had little to do with marketing in its initial development.
The case of Google Spain v. AEPD & Mario Costejo Gonzalez helped codify what “the right to be forgotten” entails. In 2010, Gonzalez – a Spaniard – filed a claim before the Spanish Authority for Personal Data Protection (AEPD) arguing that Google violated his privacy by including, in a search for his name, a link to an old newspaper article indicating his home was being repossessed to pay off debts. AEPD agreed, and Google lost an appeal to the Court of Justice of the European Union (CJEU) which ruled for Gonzalez in 2013, deciding that data subjects have a legitimate interest to deny the disclosure of personal data.
By establishing a legal precedent for the right to be forgotten for data subjects, the decision reverberated for data controllers internationally. This right was institutionalized in Article 17 of GDPR, which refers to it as the right to erasure. The scope extends beyond search, codifying that data subjects “shall have the right to obtain from the controller the erasure of personal data … without undue delay”.
The regulation and others like it, such as California Consumer Privacy Act (CCPA), have significant implications for marketers, who must balance the many facets of compliance with the need to deliver a personalized customer experience.
The complexity of compliance is compounded by the ongoing evolution of GDPR. Because it is relatively new (it took effect in May 2018), organizations are still coming to terms with what it means from a legal standpoint. They also struggle with compliance on a global scale, needing to handle, for example, what the right to erasure means for customers in different jurisdictions, or how to satisfy potential conflicts between different regulations.
The GDPR Balancing Act
Much of the complexity, though, relates to the sheer number of steps marketers and their organizations must take to ensure compliance, which explains why many organizations are now hiring data privacy officers or GDPR compliance officers to handle the Article 17 nuances. These steps include:
- Recording a request for erasure by a consumer (“data subject”)
- Confirming the request for erasure comes from the data subject
- Informing the data subject whether the organization will honor the request and, if not, why
- Deciding what information needs to be erased and how to erase it (archived, without a trace, etc.)
- Removal of the information
- Notification of internal systems
- Notification of external partners
- Recording each of the erasure steps taken
If this sounds complex, it is. Marketers must comply with the right to erasure, while essentially having to “remember” (via documentation) that they “forgot” a consumer. Business processes must be put in place to strike the fine line between the requirements and the circumstances that dictate those requirements. The right to be forgotten, in other words, is not an absolute right, and Article 17 stipulates where an organization’s right to possess someone’s data overrides the right to erasure. Reasons include:
- The data is being used to exercise the right of freedom of expression
- The data is being used to comply with a legal ruling
- Data is used to perform a task carried out in the public interest, or it represents important information that serves the public interest where erasure would impair progress toward the public interest (scientific or historical research, etc.)
- Data is used for establishment of a legal defense
Organizations must have procedures in place to determine how to balance what may at times seem to be competing interests. They must be vigilant in documenting how they handle each instance of a request for erasure, how they recognize the legitimacy of the request, and how they implement the request. In addition, a strategy that is in place for an erasure request must above all be adaptable based on the changing interpretations of GDPR that are still working their way through the court systems and regulatory bureaucracies, both domestically and internationally.
What GDPR Means for a Brand Marketer: Stay Tuned
Creating a personalized customer experience is a top priority for brand marketers. According to a Walker study, customer experience will overtake both price and product as the key brand differentiator as early as next year. To deliver on the expectation for personalization, marketers must know everything there is to know about a customer – likes, preferences, buying patterns, and transaction history included. With Article 17 of GDPR, marketers must also factor in each customer’s right to erasure history. And, like the sometimes-competing interests of the regulation itself, a right to erasure request can conflict with the effort to deliver a hyper-personalized customer experience.
An upcoming blog will focus on how marketers can address these potential conflicts and forestall future issues while still ensuring GDPR compliance.