Control measure: Processes for handling requests for erasure of personal information are in place and outlined in policies.
Risk: If processes for handling requests are not documented clearly, agreed processes may not be followed, requests may be handled inefficiently, or statutory requirements may not be met. This may breach UK GDPR articles 5(2), 12, and 17.
Ways to meet our expectations:
- Document how to handle requests in sufficient detail in policies, including who oversees the request process and how.
- Document how to determine if there is a compelling reason to continue processing information, as part of the request.
- Have a process to inform third parties about any request for erasure, if you delete personal information that you have shared with them.
- Give these policies appropriate document and version control.
- Communicate these policies to staff who deal with requests and make policies readily available for them to refer to.
- Keep policies up-to-date, particularly with any changes to data protection law.
Options to consider:
- Include specific processes for erasure requests in your policy about how to handle individual rights.
- Use reliable indexes, file content pages, and descriptions of documents, to help locate paper records quickly.
- Use appropriate search functionality and metadata to help locate electronic records quickly.