Forget me! How to handle people’s right to be forgotten

Anyone has the right to be forgotten. And we as companies must meet that request. But finding all that data about someone, is easier said than done. Imagine if you could automate it. Well, you can. Here’s how.

Imagine your old colleague, Sally, calling you. She wants your company to delete everything you have about her. All information about her, across all systems.

Social security number, address, health records, images etc. Everything scattered across emails, forgotten files and folders, payroll systems and HR platforms.

And it’s within her rights to do so

With the General Data Protection Regulation (GDPR), EU citizens, like Sally, can request a company to forget everything about them.

But many companies have discovered that complying with this right is challenging.

How do you find and delete all of Sally’s data?

Here we explain “The right to be forgotten” and how you meet such a request without having to spend hours going through endless documents

What is the Right to be Forgotten?

The Right to be Forgotten (Article 17), is one of the key elements of the General Data Protection Regulation.

It is a human right that applies to all European citizens. It allows people to request their personal data be deleted from any database or directory.

Article 17 GDPR:

Right to erasure (‘right to be forgotten’)

1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or
her without undue delay and the controller shall have the obligation to erase personal data without undue delay (..)

General Data Protection Regulation article 17

This means that any European individual, also known as “data subject”, can have their personal identifiable information (PII) removed from an organization’s systems under certain circumstances.

This can be all kinds of personal information such as:

  • Name
  • Address
  • Phone number
  • Social security numbers
  • Health records
  • Criminal records
  • Photographs and images
  • And any other type of personal data

Here’s an example:

Think back to that morning when you couldn’t get into the office due to illness. It is likely you sent your manager an email saying something along the lines of “Dear Manager, I will not come in today as I have tested positive for Covid-19”.

Now, the information about your positive Covid test is now linked with your name and email address.

Such information is considered personal identifiable information and subject to the GDPR. It is information like this that a person (the data subject) can request to be deleted.

If you receive a request for this data (access) or a request to delete it (erasure/forgotten), your obligation is then to find this data and delete it.

However, you’re not always required to meet the request to be forgotten if the data falls under “certain circumstances”

When does the “Right to be Forgotten” apply?

The “Right to be forgotten” only applies:

  • When the data is no longer necessary to fulfill the purpose for which it was originally collected or processed.
  • When the data subject withdraws consent for the collection or processing of personal data.
  • When the data subject raises a legitimate objection about how the personal data is collected or processed.
  • When the data is determined to have been collected or processed unlawfully.
  • When the data is subject to GDPR article 8 (rules about personal data pertaining to children).

As you can probably imagine, responding and complying with the “Right to be Forgotten” can introduce a lot of overheads for organizations.

Just manually finding all relevant personal data can be an incredibly time-consuming, chaotic and costly task.

But what happens when you receive a Data Subject Request to be forgotten?

“I have received a Data Subject Request” – now what?

“I have received a Data Subject Request”
– now what?

This is a scenario many organizations fear, despite having well-written policies in place.

You may have spent the first couple of years with the GDPR formalizing processes, procedures, and developing documentation in case of being audited by local Data Protection Authorities.

But an increasing number of GDPR professionals are now realizing that the procedures that were seemingly well thought out two years ago, don’t necessarily work in practice today.

Here’s how a Data Subject Request usually looks from start to finish.

The Process of right to be forgotten DSR
The process of a Data Subject Request for the right to be forgotten

The process of a DSR - right to be forgotten

Your organization receives a Data Subject Request, often via email.

Once the request has been received, you must first verify the identity of the person requesting the data (the data subject). This is to make sure that the data subject is legitimate and that it is not the data subjects’ friend from high school exercising the “Right to be Forgotten” on behalf of the data subject.

After validating the request comes the heavy lifting; the process of finding, collecting and evaluating all the personal data pertaining to the requestee.

And this is where the pain of relying on manual processes really becomes evident. In practice, what happens is you coordinate with all relevant departments to look through old files, emails, presentations, contracts etc. and do the following:

  • Identify if the file/e-mail contains personal data about the data subject
  • Evaluate if the file/email should be deleted completely, if the data subject should be redacted, or no action should be taken
  • Take note in an Excel sheet for tracking and documentation purposes

But let me stop you right there. Just imagine the amount of work this requires!

Think about doing all that by hand. Manually! Going through hundreds (if not thousands) of files and folders, emails and photos to find – and classify – every bit of personal information.

If the sound of this makes you sweat, fear not. There is a much simpler way.

How to comply with the Right to be forgotten without all the manual work! Automation!

Gone are the days of going through files and folders manually.

Goodbye hard manual work, hello automation.

Yes, the good news is that automation can help you a lot when responding to a Data Subject Request. Better news is that Data Subject Request by Cookie Information can automate upwards of 80% of your DSR work, making your life infinitely easier.

Automate your Data Subject Requests and never look for data manually again.

Consider our example from earlier and ask yourself “wouldn’t I rather have a computer do all the heavy lifting for me?”

If your answer is yes, you’re in luck.

With Data Subject Request by Cookie Information, you can streamline and automate the entire DSR process from start to finish.

You can respond successfully to a request to be forgotten.

Simply embed the customizable form on your website and receive all DSRs in one central place.

When a data subject submits a DSR, the relevant people in your organization are automatically notified, so you never miss a deadline again.

And even better, you get to completely ditch the manual work associated with finding and collecting personal information related to the data subject.

In just a few clicks, the platform does all the identification and collection automatically for you. This helps reduce critical pain points and most importantly, it allows you to just lean back and be rest assured you comply with any given DSR without undue delay.

Sign up and put your DSRs on autopilot in minutes.

Data Subject Request

Respond to a Data Subject Request within the required 1-month period without going through thousands of files and folders yourself. Automate your DSR processes.  


The best Consent Management Platform for businesses and brands

250,000 websites already trust us with their GDPR compliance

Do your cookies comply with GDPR?

We can find out in minutes.