The right to be forgotten: the daily challenge of the retention policy

The Right to be Forgotten is one of the new rights of data subjects introduced by the GDPR and  is articulated around two main ideas.

April 27, 2020

Michael Hofmann, Partner, Data Protection Leader & Alejandro del Rio, Manager Cybersecurity and data protection – EY Luxembourg


The Right to be Forgotten is one of the new rights of data subjects introduced by the GDPR and  is articulated around two main ideas.[1] The first idea is the right to erasure per se[2], for which the data controller has the obligation to delete any personal data not necessary anymore to fulfil the purpose of the processing “without undue delay”.[3] The second idea is the right to not find a data subject’s personal data, the right to dereferencing.[4] Additionally, there is an obligation to delete the data after at the expiration of its retention period. This is the “storage limitation” principle.[5]



Following the 7M€ fine given to one of the biggest tech company worldwide by the Swedish Datainspektionen regarding “the right of data subjects to have search results removed from the results list”, and the latest challenges we observed on the market, we wanted to share some insights.

  • Identification and traceability of unstructured data

Arguably the biggest quantity of data in a system, un-modelled and un-defined type of data is found everywhere and could end up challenging to monitor. There is no way to be certain of the location of unstructured data at any given point of time without the help of common tools such as process identification or data-flow mapping. Yet there is much to consider in regards to recent privacy regulations. Furthermore, although indexed in tables, structured data found in gigantic databases can also be complex to retrieve.

  • Actual deletion of the data

After identification, the operator can delete the data manually. However, it is a tedious and costly task that lacks efficiency. Furthermore, it is a reactive approach that would have to be repeated every 6 to 12 months. By extension, this problem refers to how to modify the system structure accurately in order to automate the cleansing process and adopt a proactive approach.

  • Consider data retention as a standalone project

From a process-oriented standpoint, it seems easier to segregate the different processes related to data management (data retention, data monitoring, data security). In addition to being redundant workwise, it generates the risk to lose consistency of the analysis of the data.


In order to mitigate the risks, we suggest the following aspects to consider:

E-discovery assessment: Although many companies are using the classical approach of manual scanning, some tools available in the market serve as an automated, agnostic, and cross-systems solution to identify the data and make an inventory out of it. These tools allow the visualization of data flows and where the data resides in the corporate system, whether it is structured or unstructured data. In any system, the operator can search quicker and with a high accuracy rate.

Data classification and tagging: We observed a lack of maturity in the industry regarding data classification and data tagging. These activities must be undertaken in an integrated manner with the discovery tool. To this extent, the discovery and deletion capabilities can be fully programmed and automated. The operator can focus on tasks with more added value than the research and deletion of data. Such capabilities are to be fully considered within the “Privacy by design” approach.

Process and tooling integration: Data retention processes ensue directly from the data management capabilities of the organization. It is to be fully integrated with cyber security and monitoring systems. Thus, allowing automated controls, secure data, and data monitoring scalable to the different corporate systems.

Leveraging the existing resources and integrating powerful tooling within the system helps the organization to comply with data privacy regulation by allowing swift and secure operations on the data.


Michael Hofmann, Partner, Data Protection Leader, EY Luxembourg
Alejandro del Rio, Manager Cybersecurity and data protection, EY Luxembourg


[1] Article 17 GDPR

[2] Article 17(1) GDPR

[3] The Deletion in this case also includes anonymization of the data. Anonymous data is not able to identify directly or indirectly a natural person, thus not considered as personal data anymore.

[4] Article 17(2) GDPR

[5] Article 5(1)(e) GDRP

Watch video

In the same category