GDPR – Right to be forgotten could be misused by criminals

Reported by: |Updated: August 2, 2018

Jaspreet Singh & Sanjay Vasudeva

GDPR contains a specific right for individuals – right to be forgotten. This means data erasure at the instance of the individual or cease processing data any further when the consent is withdrawn. Jaspreet Singh, partner – Cyber Security, Ernst & Young, feels this right might lead to the deletion of any criminal records or legal history of an individual and might work in favor of criminals. Having said that, the organizations will also have to comply with the local regulations and any information that is required to be maintained by the laws of the land will take precedence over data subject rights, including right to be forgotten, says he in his interaction with Banking Frontiers on GDPR.

According to Sanjay Vasudeva, senior partner, Assurance, Risk Advisory, at S.C. Vasudeva & Co, and member of the Central Council of the Institute of Chartered Accountants of India (ICAI), this provision, if not handled carefully, may have a potential for misuse since erasure request or withdrawing consent may have been received too late to be erased and the data may have already been disseminated and processed. “Hence, sufficiently detailed documentation may have to be secured to mitigate litigation. For organizations, this would mean allocating additional resources and costs in maintaining and updating records as well as risk of exposure to potential claims,” he says.