[blat001]

Thank you! This post starts to show some of the huge complexities that GDPR has for business and their understanding of what the terms of the law mean.

A point is that often statements of a law are defined not by the language but by the ruling of lawsuits that occur around those statements and that is what most companies and lawyers are waiting for, what do courts rule when these lawsuits happen.

The biggest issue that I have heard of (Im no expert) is what does the right to be forgotten actually mean ? Does that mean all your backups are now illegal as you are retaining the customers information after they asked you to remove their records?

I think some of the fear that smaller business have is that this will encourage lawsuits until people understand how the courts will rule on each item.

[mikekchar]

I think the parent's reply is a good one. We could probably debate some of the finer points, but I think when we get some time to see how it all shakes out in the end we'll have a better vantage point.

But to answer your question about the right to erasure, here is the law: https://gdpr-info.eu/art-17-gdpr/

I can't find it right now (and I have to get back to work), but there is a reasonableness requirement for requests. So things like backups might be covered by that. I wish there was some direction on that because it's a problem for me at work as well.

My opinion is that the directive's view is that all personal data retention should be temporary. There should be a defined point where the personal data is deleted. Either that's when it's no longer necessary for the contract, or when you no longer have a legitimate interest in it, or when the user asks for the removal.

Up to this point, most of us have been building databases with the intent of retaining the information indefinitely. So we never thought about this. Although I'm a fan of this law, I admit that it's going to be troublesome transitioning from where we were to where we need to go.

And as the parent briefly stated, immutable databases are going to be a serious problem.

[henrikschroder]

I think the UK agency had some text on erasure and backups, and it basically boiled down to this:

If a data subject requests their data to be erased, you should remove their data from active systems so that it is no longer being processed, but you don't have to remove it from backups or other passive systems. You should however store some sort of marker so that if you need to restore data from backups, the data subject's data will be re-erased or otherwise stopped from entering active systems again.

And if a data subject asks, you have to tell them how long you store your backups of their personal data.

I think that's perfectly reasonable. And if your backup retention policy is "forever", now might be a good time to re-evaluate that policy.

[Silhouette]

Neither the UK nor the EU previously had any general provision for a right to erasure. At EU level, considerable waves were made when the "right to be forgotten" ruling was issued, but that came from a court that was considering a specific case.

[Silhouette]

I think some of the fear that smaller business have is that this will encourage lawsuits until people understand how the courts will rule on each item.

That concern really is unfounded, though. The primary means of enforcement of the GDPR will be action by national data protection regulators. It isn't some carte blanche for trigger-happy lawyers to start suing every business that gets a little detail wrong or anything like that.

The general concern that the picture is unclear until something happens to clarify it is, unfortunately, much better founded.