ISO 27001 and GDPR

This right to erasure or right to be forgotten is found in Article 17 of the GDPR. While there are some exceptions — for the completion of a contract, regulatory requirements, legal cases, and the public interest — much of the time a customer from an EU member state can simply ask to be forgotten, and your ecommerce business will need to comply with the GDPR requirements “without undue delay.”

Know Where Customers’ Data is Stored

The first step in complying with this GDPR requirement is to know specifically where a customer’s personal data is stored.

This may sound obvious, but ask yourself, do you know anything at all about the databases housing your customer’s information? Does your business document how to access those records? If a request for erasure came in, where would you start?

The business might need to delete in the event of a GDPR erasure request. These include:

Deleting orders

Deleting customer account records

Deleting customer support records

Deleting email subscription data

Deleting user generated content like reviews

Your business should document where customer data is stored including backups, note third-party tools which also have access to your customers’ information, and develop a step-by-step process for removing customer records.

Recognise Removal Requests

The GDPR does not outline a specific method for submitting a request for erasure, so it may be common for customers to submit verbal or written requests to any part of your business from customer service agents to receptionists with or without mentioning the right to be forgotten, Article 17, or the GDPR itself.

Use your ISO27001 framework to manage your own requirements:

Create a central form or repository for removal requests. When a request comes in, have your staff complete the form.

Train your employees to capture requests. Note: directing a customer to a form is probably not the best option.

Identify a person or persons responsible for dealing with requests.

Have a draft response written ahead of time, so that you can quickly let the customer know the request was received and is being processed.

Log the request, capturing sufficient information to perform the removal.

Validate Erasure Requests

While the GDPR allows for the right to be forgotten, this right does have limitations, so before you starting purging your database, ensure the request is valid.

Purpose. A user can request erasure if the personal data is no longer required to meet its original purpose. For example, an online store often collects personal data for the purpose of delivering a product. Once the product is delivered and legal requirements are met, that personal data is no longer serving its purpose, and a shopper covered by the GDPR can ask for it to be erased.

Consent. If personal data was collected with consent (cookies for example), and the user withdraws that consent he or she can also ask for the data collected to be erased.

Objection. A user can simply object to your company collecting his or her personal information. If your business cannot demonstrate “overriding legitimate grounds for the processing,” the data subject can request deletion.

Erase Customer Data

Take the steps necessary to remove any of the customer’s personal data from your production, development, and backup systems.

ISO27001:2013- What is your information retention policy? And what procedure do your follow?

There are industry providers like:

The above is HM Government compliant

Notify Third-Party Data Processors

It will also be your responsibility to notify any third-party processors about the removal and verify from them that the data subject’s personal information has also be removed from their systems.

Log Customer Removals

Throughout the erasure process, your company should be logging and tracking each step.

Note when the request for erasure is captured.

Log each customer communication.

Document that you followed the required procedures necessary to remove the data.

Note that you verified the data was removed.

The above can be evidenced by using your internal service desk or CMS to prove deletion.

Please let us know what you think or when you need help with this please contact us