A guide to the new General Data Protection Regulation (GDPR) – Part 3 of 5

27 July, 2016
This article has been reviewed and is up to date as of 5 May, 2017

The right to be forgotten

Individuals under the GDPR will be able request for the deletion of their personal data in certain specified circumstances. This will apply when the data is no longer required for the purpose for which it was originally collected or in circumstances where it has been unlawfully processed.


There is also an obligation for the controller to take all reasonable steps to inform third parties, to whom the data may have been disclosed, that the data subject has requested the deletion of information (the so called ‘right to be forgotten’).


Exceptions to the right to be forgotten will remain in place such as if there is an overriding justification to maintain the processing of data, such as a legal obligation to retain certain records.


Data Protection Officer

The GDPR requires any data controllers and data processors to appoint a dedicated data protection offer (DPO) as part of its accountability programme, if the organisation:

  • is a public body or authority; or
  • if the core activities of the controller or processor consist of processing which requires regular and systematic monitoring of data on a large scale; or
  • if the core activities involve large scale processing of sensitive data.

The DPO must be able to act independently of the organisation and is required to report directly to management. They should be selected on the basis of their professional capability and should have sufficient expert knowledge depending on the type of processing activities for which the DPO will be responsible.


Removal of notification obligations

The GDPR removes the obligation for data controllers to notify or gain the approval from the ICO (or other relevant data protection authority) in certain circumstances. This appears to have been introduced in order to cut of much of the unnecessary administrative and financial work placed on data controllers in having to liaise with the national data protection authority.


However, the legislation will now require data controllers to put into effect certain procedures and mechanisms when working with new potentially high risk technologies. Additionally, there is a requirement for controllers to carry out a data protection impact assessment to determine the likelihood of risk when dealing with large scale processing.