Audit of completed erasure
I have a GDPR question that’s not related to DPIAs and has been bugging me since I went through our GDPR documentation (from your kit – thank you 😊).
We make software that is sold as a product but also offered SaaS. My question is related to the Right to Erasure. The product has a directory database in it which holds, at minimum, business contact details.
By design, there is no reason for the directory to hold anything more, although we do allow custom fields to be labeled an populated with anything. We have a Privacy module that allows a nominated set of DP users (either the customer or our managed services team) to run a “forget” process. This anonymizes all data held in the SQL warehouse and directory relating to the forgotten person.
The questions I have are:
- Do we need to have an audit of a completed erasure?
- If we have one and use the forgotten person’s name with no way to reverse engineer the process, is that compliant?
My dev team wants to have an audit trail to demonstrate that the process has been performed, and that is my preference as well, but without the name, it is pretty pointless.
Assign topic to the user
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
I have a GDPR question that’s not related to DPIAs and has been bugging me since I went through our GDPR documentation (from your kit – thank you 😊).
We make software that is sold as a product but also offered SaaS. My question is related to the Right to Erasure. The product has a directory database in it which holds, at minimum, business contact details.
By design, there is no reason for the directory to hold anything more, although we do allow custom fields to be labeled an populated with anything. We have a Privacy module that allows a nominated set of DP users (either the customer or our managed services team) to run a “forget” process. This anonymizes all data held in the SQL warehouse and directory relating to the forgotten person.My dev team wants to have an audit trail to demonstrate that the process has been performed, and that is my preference as well, but without the name, it is pretty pointless.
So, my question is: Do we need to have an audit of a completed erasure?
An audit of completed erasure could enhance your accountability in complying with the right to be forgotten and it is a good choice yet it is not mandatory because GDPR leaves up to the Data controller the choice on how to comply with data subjects’ rights.
If we have one and use the forgotten person’s name with no way to reverse engineer the process, is that compliant?
Yes, the GDPR does not provide a specific definition of “erasure”, so it is open to interpretation. Austrian Data Protection Authority in 2018 considered irrevocable anonymization as compliant as data deletion. The key point is to highlight that once anonymized re-identification has become impossible. That’s why an audit of complete erasure (or irrevocable anonymization) is a good idea: you will be able to demonstrate your compliance with the data subject’s request.
You can find more information in these articles:
- Right to be forgotten in the era when everyone seems willing to be remembered: https://advisera.com/eugdpracademy/blog/2019/08/26/gdpr-right-to-be-forgotten-an-easy-explanation/
- Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
- Four main questions for obtaining and managing data subjects’ consent under GDPR: https://advisera.com/eugdpracademy/knowledgebase/four-main-questions-for-obtaining-and-managing-data-subjects-consent-under-gdpr/
You can also consider enrolling in this free online EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//
Comment as guest or Sign in
May 18, 2020