Deletion is a notable piece of privacy compliance strategy and most organisations struggle to tackle it. Tackling this particular task means companies must ask themselves the right questions.
What kind of data can we delete?
Do we have the right to delete such data?
Does the data subject know that data will be deleted?
What is the appropriate way to delete the data in question?
What type of data is being deleted?
Quite often, deletion or erasure of data is treated with kid gloves. But, privacy regulations cover this. What’s more important is, companies must put a couple of factors into perspective before they delete any data in their possession.
Although the Nigerian Data Protection Regulation(NDPR) does not go into full details about erasure or deletion processes, companies must pay attention to key elements before deletion is executed.
In the case where data in the company’s possession is no longer fit for purpose, it is ideal for the company to delete the data. For example, a customer makes inquiries about certain products or services in a company. Upon making those inquiries some information was passed, recorded and the customer doesn’t go ahead to make the purchase. There should be no reason for keeping that information unless the customer gives consent.
Furthermore, if the company has consent from the individual to hold the data and later the individual revokes the consent, the information about must be erased. There is no question that customers do give consent and forget about it. It is good practice for the company to review these consent and send some reminders to the individual for review.
In another case where deletion must be exercised is where the individual objects to the processing of their data, and there is no overriding legitimate interest to continue processing their information. For example, a data subject calls the company and says the processing of their information should be stopped and the company sees that there is no reason why they should be processing the information. They can delete the information to avoid stifling the rights and freedom of that particular data subject.
Where the company processes the personal data for direct marketing purposes and the individual objects to that processing, the company, in good faith and practice, should stop processing the individual’s information and delete that information. There is nothing more frustrating than receiving marketing emails about a product or service that is not beneficial to one.
The personal data of an individual has been processed unlawfully—without the data subject’s consent or transparency—then the data must be deleted without further questions. The onus is on companies to carry out a comprehensive data mapping exercise to know the kind of data they process and the kind of data they don’t process in their day to day running of their business. It will be unlawful for a company to keep processing information of individuals they acquired illegally.
There are some other times when data must be deleted to comply with a legal obligation. In some countries like the United Kingdom, France, and Germany, just to mention those three, data of individuals in certain quarters are required to be deleted after certain years. In Nigeria, that practice is not pronounced but it will be essential that some government institutions start deleting the data of individuals who they don’t process anymore.
Another important data that a company must be wary about is the information of children. If there is no need to keep processing a child’s data then it would be good practice to get delete such data.
That said, companies must ensure that deletion is carried out securely. That is, the information must be deleted in a manner that doesn’t put the individual in any danger. Deletion is a privacy compliance requirements and companies should pay close attention to it in their privacy compliance journeys.
Nigeria November 21, 2019