Companies need to consider what technical measures they can take in an effort to adhere to the data subject's right to erasure or 'right to be forgotten'.
Anonymisation ensures that the anonymised data is no longer identifiable to a person. Therefore, it is no longer considered personal data under GDPR. Where anonymisation has been done, and a subject access request (SAR) follows, you would be then able to explain you no longer have personal data related to that subject on your database. That said, anonymised data is very hard to achieve perfectly and leaves some risk unless properly performed.
Of course, there may often be good grounds for keeping personal data for historical, statistical or research purposes. The Data Protection Act enabled personal data held for these purposes to be kept indefinitely as long as it was not used in connection with decisions affecting particular individuals, or in a way that is likely to cause damage or distress. GDPR continues this, as long as the data is deleted when there is no longer a lawful basis of retention. GDPR Article 17 deals with the data subject’s right to erasure, and specifically gives grounds as “the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed”.
However, it may be necessary to process the data in order to fulfil a legal obligation. The retention of an identifier or even pseudonymisation would help, as long as the algorithms are secure.
In respect of deletion, technical measures are relatively simple but depend on the platform, nature of processing, basis for processing and many other things.
Many systems operate with a "soft delete" delete function, such as marking data as deleted without actually removing it, but this is not erasure.
It must be also be appreciated that a person can have more than one interaction at the same time. For example, a person who works for Sky can be a customer as well as an employee. This would, therefore, require careful planning as opposed to a 'simple' deletion exercise, and similar complexities will undoubtedly occur for objections and SARs.
Contact our Data Protection and GDPR Solicitors Liverpool, Wirral, Merseyside and Across England & Wales
Our data protection and GDPR lawyers have extensive experience helping businesses to assess and mitigate their risk. For advice and support tailored to your business, contact our specialist team on 0151 659 1070 or complete our online enquiry form for a free consultation.