Data deletion requests should not be complied with automatically by businesses as other legislation obliging them to retain information often overrides GDPR.
Stephen Watkins, IT and InfoSec expert at financial compliance consultancy fscom, has urged companies to assess whether the individual’s desire to ‘be forgotten’ is at odds with legal duties – especially when it comes to potential fraudulent activity and human resources.
“When does empowering individuals to be ‘masters of their own personal data destiny’ encroach on a payment service provider’s legal responsibility to prevent fraud, safeguard its venture and limit criminal activity?” he asked.
“And like the phrase ‘if at first you don’t succeed, try, try again’, an individual could ask for data to be erased, and start again, if an outcome was not to their liking.”
He explained a potential ‘onboarding’ scenario where a fraudster applying for a payment account is declined during the identification and verification procedure.
“The declined individual then asks for their application record to be deleted, as is their right under GDPR,” said Watkins.
“If this request is complied with, the fraudster could submit another application, changing key details to secure success.
“It is reasonable for you to not only maintain a database of declined applications, but to decline a deletion request.
“Clearly, you should only retain the bare minimum information and be able to justify why you can keep it and decline such requests. Unsuccessful applications can be kept legally for five years after submission.”
In another scenario, a client may have laundered money through a business then closed their account and requested that the business delete their records.
“In the case of occasional transactions or, where the business relationship has come to an end, the Money Laundering Regulations 2017 stipulate that customers records must be held for a minimum of five years, with transactional data held no more than ten,” said Watkins.
“When responding, you should explain why you are unable to meet this request.”
There are also potential problems when it comes to human resources. For example, after a firm has run a successful recruitment drive an unsuccessful applicant might ask for their records to be deleted under GDPR.
“A trouble maker may intend to complain against unfair recruitment practice after their record is deleted. Should you comply?” asked Watkins.
“Like every other request, ‘partially’ is the answer. If a request for deletion was granted, any individual involved in the recruitment process could be unprotected against such a complaint.
“Industry best practice is to not delete unsuccessful applicants’ relevant data for the required timescale, even when asked.”
As for employees leaving organisations, they could ask for their staff records to be erased.
“A complaint may have been made against them and they therefore decided to leave in the hope that their erased data will ensure a new employer will be unaware of their disciplinary,” said Watkins.
“You should only comply with their wishes and delete any personal data that you have no legitimate reason to retain.
“Employee records must be retained for six years after they have left. This provides you with evidence against a legal claim for constructive dismissal or unfair dismissal which can be made against you for up to six years after the end of the contract under the Statute of Limitations Act 1980.”