What is the right to be forgotten and how does it work under the GDPR?
The GDPR will come into effect later this month on the 25th of May and will change the way we perform email marketing and data handling. The GDPR will mean that the types of data that organisations can store will revolve substantially around consent. This will place much more power into the hands of the individual and will give them much more control over which organisations store what data, and how it is used.
Organisations face different rules depending on if they are looking to store B2B customer data or B2C. For B2B marketing, an individual’s data can be processed by a company as long as it can be proved that the company is doing so due to legitimate interest.
What’s going to change?
Firstly, it is important to remember that the right to be forgotten has been around in several forms for a while now. If an individual wanted to see what personal information of theirs an organisation was storing, they could raise a ‘subject access request‘. A subject access request would consist of a form to be filled in by the individual and then handed to the organisation. The organisation would then reply, often requesting a fee from the individual. All that will change in this process is that the individual will be able to get hold of the information easier.
So if we take charity organisations as an example, as they conduct B2C marketing. Typically, when a consumer makes a donation they will have likely gave filled out a form which contains a tick box encouraging them to ‘tick here if you don’t wish to receive marketing from us’; this process is called ‘opting-out’. When GDPR comes into effect, this process will be abolished. Consent to store and process data must be opted-in to and the consumer must be aware of what their data is being stored for. Furthermore, such consent doesn’t last forever and will need to be regularly re-confirmed by the consumer. Using this example, once the GDPR has been rolled out the consumer will see any number of tick boxes which ask for specific consent such as ‘can we email you about our future fundraising campaigns?’.
What is the ‘right to be forgotten’?
Under the GDPR, individuals will be able to remove their consent at any time they wish. Individuals can do this usually by contacting the organisation or unsubscribing from email communications, which is the process currently. The procedure for this will vary depending on the organisation, but the result means that the user won’t receive any more correspondence, but their details are kept on file. However, the right to be forgotten will add an extra element to this. The right to be forgotten will now mean that an individual has the right to ask to be completely removed from an organisation’s database.
Are there any drawbacks?
In theory, invoking your right to be forgotten sounds like an act of freedom for the consumer as they can rest easy knowing that their inbox is not going to be bombarded with spam, but also that their personal information is safe. On the other hand, the right to be forgotten can actually do more harm than good to the consumer, and it is important to remember this.
Going back to our charity example, if you have asked to the charity to remove every trace of your data from their database it means that they won’t know who you are, they won’t have access to records of previous correspondence, and they won’t know that you don’t want to be contacted. With this example, there is no stopping a future employee from prospecting to you in the future. So whereas on the one hand right to be forgotten gives an individual more control over how their data will be used, it also doesn’t guarantee lifelong peace and quiet.
What can you do?
The right to be forgotten can apply to any consumer, B2C or B2B. Any individual can request any organisation to delete them from their database at any time and the effect will be the same. With this, there is not much an organisation can do if their members, subscribers or potential leads ask to be forgotten; legally they have to comply with their request to be erased. However, it is important to let individuals know the effects of taking such action. Ensure that your correspondents have quick and easy access to information they will want to receive and a way of choosing and unsubscribing that is just as quick and easy. With new measures about to come in, it will be very important to stay in contact with individuals so that you can ensure they are still happy with the service and correspondence that you are giving them, as well as what data you are storing of theirs.
From where we are standing, it may seem that the GDPR has quite a few conflicting rules, from the unclear lines between legitimate interest to consent, to regularly having to keep in touch with your audience to ensure that they are still happy with all the information that they are receiving – which means you may, in fact, be contacting them more than ever.
One thing is for certain though; the GDPR will open up much more of an ongoing dialogue between data owners and data processors. So as long as you remember to communicate with your audience you shouldn’t have an issue.
If you need more information about the GDPR, or if you have are concerns that your organisation is not compliant, then contact us today.