Article 17 deals with one of the most important aspects of EU and UK GDPR law – a data subjects ‘right to be forgotten’, also written as the ‘right to erasure.
Article 17 lists several reasons as to why a data subject may wish to be forgotten, along with an organisation’s obligation to inform other controllers that may also be processing a subjects data in accordance with their own operation.
Article 17 – Right to erasure (‘right to be forgotten’)
Article 17 – Right to erasure (‘right to be forgotten’)
Book a 30 minute chat with us and we’ll show you how
Data subjects are not able to exercise a blanket right to have their data erased. Requests must be in accordance with one of the below legal criteria:
If an organisation has made personal data public, for any reason, they should take ‘reasonable steps’ to inform any other controllers – including employees – and third parties of the need to erase data, as requested by the data subject.
In this section we talk about GDPR Articles 17 (3)(a), 17 (3)(b), 17 (3)(c), 17 (3)(d) and 17 (3)(e)
To form a documented legal basis for processing PII in the first instance, organisations should:
Organisations should also consider any ‘special categories’ of PII that relate to a data classification scheme (see ISO 27701 Clause 7.2.8).
Book a tailored hands-on session
based on your needs and goals
Book your demo
In this section we talk about GDPR Articles 17 (1)(a), 17 (1)(b), 17 (1)(c), 17 (1)(d), 17 (1)(e), 17 (1)(f), 17 (2)
Laws vary from region to region, but jurisdictions often provide individuals with the right to raise an objection relating to how their data is being collected, processed and shared.
In accordance with this, organisations should:
Organisations need to ensure that customers are are given the appropriate means to fulfil their (i.e. the organisation) obligations as a PII controller, across three key operational areas:
GDPR Article | ISO 27701 Clause | ISO 27701 Supporting Clauses |
---|---|---|
EU GDPR Articles 17 (3)(a) to 17 (3)(e) | ISO 27701 7.2.2 | ISO 27701 7.2.8 |
EU GDPR Articles 17 (1)(a) to 17 (2) | ISO 27701 7.3.5 | None |
EU GDPR Article 17 (2) | ISO 27701 8.3.1 | None |
GDPR is generally regarded as the toughest privacy and security regulation in the world, with breaches resulting in significant fines. It can be ambiguous and open to interpretation, suggesting that organisations must provide a ‘reasonable’ level of protection for personal data.
But here’s the good news. ISMS.online makes it easy for you to jump straight into your journey to GDPR compliance and to easily demonstrate level of protection that goes beyond ‘reasonable’, all in one secure, always-on location.
The ISMS.online platform has built-in guidance at each step combined with our ‘Adopt, Adapt, Add’ implementation approach so the effort required to demonstrate your approach to GDPR is substantially reduced. You will also benefit from a range of powerful time-saving features.
Find out more by booking a short demo today.
Book a tailored hands-on session
based on your needs and goals
Book your demo