The right to be forgotten, as part of the General Data Protection Regulations (GDPR), is exercising my mind. It’s not really called that, it is actually called ‘The right to erasure’. The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data whether there is no compelling reason for its continued processing.
I’m finding it very amusing, not that there are lots of laughs in the legislation. I find it entertaining is perhaps a better word. In certain circumstances you can ask for your data to be removed from records and withdraw consent for it to be used. The onus is very much on the company rather than the data subject.
The definition of personal data is deliberately a very broad one. In principle, it covers any information that relates to an identifiable, living individual. Data is personal if they can be linked back to a person. So you can’t replace names with NI numbers or NHS numbers for example, nor can you use SIM card address from mobile phones. It is still personal data.
I have been concerned about video or photography for some time. If you are in the background of a video but have not been tagged how will we ever know how to remove you? What is taxing me most now, however, is the relationship between IoT and GDPR. So much of the data that is being created by IoT can be linked back to a specific person, so it is personal. The data subject therefore, has the right for it to be removed. If I live by myself, the data my fridge collects is personal. If I own a car, my mobility data is personal.
Soon everything will be known, the food I eat, the music I listen to, the places I go to and everything in between. All my proclivities will be captured and may well be used in evidence against me in some dystopian future. If it is personal, then I have the right to ask for it to be removed.
Alexa, delete everything I have ever asked you.