Overview
Direct Answer
The right to be forgotten is a legal entitlement enabling individuals to request deletion or de-indexing of their personal data from an organisation's systems and public search results, subject to specified exemptions. Codified primarily in the General Data Protection Regulation (GDPR) Article 17, it grants data subjects the ability to have information erased when it is no longer necessary, consent is withdrawn, or processing is unlawful.
How It Works
Upon receiving a deletion request, organisations must verify the requestor's identity, assess whether exemptions apply (such as legal obligations, public interest, or freedom of expression), and if the request is valid, delete or anonymise the personal data within statutory timeframes. The process typically involves identifying all systems and databases holding the data, removing or de-indexing records, and notifying third parties to whom data was previously shared, unless doing so would be disproportionately difficult.
Why It Matters
Compliance is legally mandatory in GDPR-regulated jurisdictions and increasingly expected in other regions adopting similar legislation, creating significant operational and reputational risk for non-compliance. Organisations must balance deletion obligations against legitimate business interests, audit trails, and retention requirements, making efficient data governance and discovery critical for managing both legal liability and operational burden.
Common Applications
Social media platforms handle deletion requests to remove user profiles and associated content; financial institutions manage requests to erase customer records after account closure; healthcare providers delete patient histories when consent is revoked; e-commerce companies remove purchase histories; search engines de-index personal information from public indices.
Key Considerations
Technical challenges include the complexity of identifying and deleting data across distributed systems, encrypted backups, and third-party processors, which may render complete erasure impractical. Tensions arise between deletion rights and other legal obligations such as fraud prevention, tax compliance, and litigation holds, requiring organisations to implement nuanced policies rather than absolute deletion.
More in Governance, Risk & Compliance
Control Framework
Compliance & RegulationA structured set of controls and processes designed to manage risk and ensure compliance with regulations.
AI Risk Management Framework
GovernanceA structured approach to identifying, assessing, and mitigating risks associated with AI systems, as defined by standards such as NIST AI RMF and ISO/IEC 42001.
Sanctions Screening
Compliance & RegulationThe process of checking individuals and entities against government-issued lists of sanctioned parties.
Regulatory Technology
Compliance & RegulationTechnology solutions designed to help companies comply with regulations efficiently and cost-effectively.
Operational Risk
Risk ManagementThe risk of loss resulting from inadequate or failed internal processes, people, systems, or external events.
Regulatory Sandbox
Compliance & RegulationA controlled environment where businesses can test innovative products and services under regulatory oversight.
ISO/IEC 42001
GovernanceThe international standard for AI management systems that specifies requirements for establishing, implementing, maintaining, and improving AI governance within organisations.
Access Control Policy
Security GovernanceA set of rules defining who can access specific resources and what actions they can perform.