North America and the GDPR: Q&A

We recently ran a webinar to help North American organizations understand the EU General Data Protection Regulation (GDPR) and why they should comply with it. It ended with our presenter answering some of your questions, which we have brought together here for you.

That depends on the request and the situation. Individuals may make this request in writing or orally. Organizations have 30 days to respond, and must log when they received the request. However, the data subject cannot always exercise the right to be forgotten – only in very specific situations. If the organization has a legal requirement to hold onto the data, for instance, it may override the request. However, organizations must prove their legal requirement or right to retain personal data when responding.

  • How do we prove that we’ve forgotten the data?

That would be exceptionally difficult and likely take a lawsuit to absolutely prove. For example, if a data subject asked an organization to return all data, how would they know that the organization hasn’t left anything out? It is impossible to be certain, unless the data subject requests a discovery under Rule 27 of Federal Rules and Procedures, and the organization swears it has all been given back.

  • How can I minimize the amount of data I may be asked to delete?

It often depends on how the record is stored. Think about how much of the file you need to delete  – it’s probably not the whole file. And why do you have all this information, anyway? Why are you asking individuals for it? There may therefore be no real reason to hold onto that data if you do not need it, as it may be a waste of resources and money. Organizations must specify in their privacy notices how long they will keep the data for. Data should then be securely deleted upon reaching that point if it is no longer needed.

How to become GDPR compliant

To help your organization comply with the GDPR, register for IT Governance USA’s Certified EU General Data Protection Regulation Practitioner (GDPR) Training Course. Learn from experts how to meet the requirements of the EU General Data Protection Regulation (GDPR) and gain a practical understanding of the tools and methods for implementing and managing an effective compliance framework.

If you missed this webinar don’t worry, we are holding a similar webinar for you soon.