Overview
Direct Answer
The right to be forgotten is a legal entitlement enabling individuals to request deletion or de-indexing of their personal data from an organisation's systems and public search results, subject to specified exemptions. Codified primarily in the General Data Protection Regulation (GDPR) Article 17, it grants data subjects the ability to have information erased when it is no longer necessary, consent is withdrawn, or processing is unlawful.
How It Works
Upon receiving a deletion request, organisations must verify the requestor's identity, assess whether exemptions apply (such as legal obligations, public interest, or freedom of expression), and if the request is valid, delete or anonymise the personal data within statutory timeframes. The process typically involves identifying all systems and databases holding the data, removing or de-indexing records, and notifying third parties to whom data was previously shared, unless doing so would be disproportionately difficult.
Why It Matters
Compliance is legally mandatory in GDPR-regulated jurisdictions and increasingly expected in other regions adopting similar legislation, creating significant operational and reputational risk for non-compliance. Organisations must balance deletion obligations against legitimate business interests, audit trails, and retention requirements, making efficient data governance and discovery critical for managing both legal liability and operational burden.
Common Applications
Social media platforms handle deletion requests to remove user profiles and associated content; financial institutions manage requests to erase customer records after account closure; healthcare providers delete patient histories when consent is revoked; e-commerce companies remove purchase histories; search engines de-index personal information from public indices.
Key Considerations
Technical challenges include the complexity of identifying and deleting data across distributed systems, encrypted backups, and third-party processors, which may render complete erasure impractical. Tensions arise between deletion rights and other legal obligations such as fraud prevention, tax compliance, and litigation holds, requiring organisations to implement nuanced policies rather than absolute deletion.
More in Governance, Risk & Compliance
Compliance
Compliance & RegulationAdherence to laws, regulations, guidelines, and specifications relevant to an organisation's business.
Regulatory Technology
Compliance & RegulationTechnology solutions designed to help companies comply with regulations efficiently and cost-effectively.
Sanctions Screening
Compliance & RegulationThe process of checking individuals and entities against government-issued lists of sanctioned parties.
Data Protection Officer
Compliance & RegulationAn individual responsible for overseeing an organisation's data protection strategy and regulatory compliance.
Control Framework
Compliance & RegulationA structured set of controls and processes designed to manage risk and ensure compliance with regulations.
Continuous Compliance
Compliance & RegulationAn automated approach to maintaining regulatory compliance through real-time monitoring, policy enforcement, and evidence collection integrated into development and operations pipelines.
CCPA
Privacy & Data ProtectionCalifornia Consumer Privacy Act — a US state law enhancing privacy rights and consumer protection for California residents.
Vendor Risk Assessment
Risk ManagementEvaluating the potential risks of engaging with a vendor including security, financial, and operational concerns.