How To Perform a GDPR "Right To Be Forgotten" Request

We've all seen the rate at which companies have collected and utilized customer data skyrocket in the past decade, yet legal measures to protect consumer data and privacy have only recently become a focal point. Introduced in 2016, the General Data Protection Regulation in the EU is one of the most comprehensive and widely enacted pieces of legislature that addresses the management, transfer, and use of personal data with the aim to give consumers more control over their own information. In the four years since its adoption (and two years since its formal enforcement), lots of questions still remain.

Everyone knows about it, but there's still so much confusion regarding its practical application in business operations. Today, we're tackling a topic that we've been asked frequently by our customers: What's the best way to "delete" a data record in accordance with GDPR?

GDPR and its implications for marketers is a beast in and of itself that deserves its own blog post for another day (or its own eBook!). For now, we wanted to call out a specific provision in the regulation that we feel is particularly important for marketers: Article 17, the right to erasure, or the "right to be forgotten". What this means is that an individual has the right to ask that their personal data be completely erased or deleted from an organization without "undue delay" (which is generally understood as within 30 days). For more information on the circumstances in which the right to erasure applies, you can check out this article on GDPR.eu.

So, does deletion = unsubscribe?

For marketers, unsubscribing from a mailing list is no foreign concept, but keep in mind that executing the "right to be forgotten" is not the same as simply clicking that "opt out" checkbox on a prospect or customer. Unsubscribing from an email or direct mail list prevents the individual from receiving future mailings, but all other data about the individual, including name, contact information, stored cookies, etc. is kept intact. From a tools and tech perspective, unsubscribing is generally easy to handle because it only involves one system: your email automation tool. A request pursuant to Article 17 is an all-encompassing erasure, which means it's little more complicated to execute because personal data is typically stored in a multitude of systems.

We've outlined our best practices for executing a right to erasure request in this blog below and have even included a helpful template you can download at the end of this post.

Steps to executing a deletion request

Step 1. Take inventory of all systems that hold the data subject's personal data

As we recommend with any data-related task or project, it's always easier to manage and understand what's going on when you have all of the pieces in front of you. You need to be able to see the whole picture, which means outlining all of the systems that are involved in holding the data subject's information. If you work for a large organization that uses many different tools, this step will certainly take some time and may require looping in different departments to understand the technology landscape — but it's absolutely critical.

Step 2. Capture the relevant identifier in each system

As you're taking inventory of the relevant systems, it's also important to make sure you have the right identifier for the data subject for each of those systems. This ID is the system's internal way of identifying who's who in the database, and is most commonly a randomly-generated string of numbers and letters. You'll typically need this ID to delete the data subject's record in its entirety.

Step 3. Define one central system to execute the deletion

Often regarded as a marketer's "holy grail" of creating a single source of truth, customer data platforms also have found themselves central to conversations around legal compliance and GDPR. And for good reason — CDPs are designed to store and house all data around customers, and furthermore, many of them have operational capabilities that can aid in data management tasks like deleting records. Our customers use Hull as this central system because it keeps a record of the deletion process across all other systems and will store the personal data until it is erased from all other systems. To prevent automatic recreation of records, we recommend the central system leveraging a GDPR compliant endpoint or a suppression endpoint, rather than executing a plain "delete".

Step 4. Use the central system to delete the data records in all other systems, then delete the data records in the central system

From an ops perspective, having an audit trail to keep a record of the deletion process is a good practice. This also allows you to track the average time it takes to execute a deletion request for reporting or to set expectations in the future. Keep in mind that you might not be able to automate the proper deletion in all systems right away. It is totally acceptable to have a semi-automated process at the beginning in order to comply with fulfilling the request without "undue delay".

Step 5. Notify the data subject that the erasure has been completed

Make sure you communicate with the data subject via email that their record has been removed.

Reasons for re-collecting data on an individual

Now that we've touched on how to properly fulfill a right to erasure request, it's important to address that the individual's data can be collected again if they give verbal or electronic consent to the organization. A few circumstances that may constitute electronic consent include:

  • Individual subscribes to a newsletter
  • Individual clicks 'Accept Cookies' on website
  • Individual purchases something on the organization's e-commerce site

What's important for the organization to understand here is that re-collecting data from an individual after they have requested to be "forgotten" means that the organization must start from a blank slate with that individual — as if the data they collected prior to fulfilling the deletion request did not exist.

Most of our customers use Hull's customer data platform for use cases unrelated to legal compliance, but some have found that the data unification feature of Hull lends itself to being an asset in situations like GDPR compliance. Because CDPs already store and host your customer data, your organization no longer needs to go on a wild goose chase to find all the different places your customer data may be living. CDPs like Hull can serve as the "control center" from where the deletion tasks take place, keeping an audit trail for future reference.

Ready to get started? Click here to access our data audit template.

Did you learn something new?

We at Hull research how to "join the dots" between your tools, teams and data. Subscribe to follow along with more articles like this, and learn the latest trends, tactics, and techniques.

Sven Maschek

Sven Maschek is a Solutions Architect at Hull. Prior to joining Hull, Sven worked in the financial industry for 10 years, gaining experience in financial planning, modeling and forecasting. As a seasoned solutions architect, he is passionate about advancing data models and using the latest technology to offer customers new ways to drive value with their data. In addition to his engineering work, he is involved in developing a customer-centric culture and is a strong advocate for building better user experiences. Outside the office, Sven enjoys competing in obstacle course racing, loves mountain biking and participating in environmental protection projects.