Now that the General Data Protection Regulation has come into force, organizations need to be able to process requests to erase the personal data of individuals. To establish this capability, changes to a variety of policies and procedures across the organization need to be implemented.
For one, the systems, applications and databases need to be calibrated to allow the easy identification and deletion of data related to the requesting individual. Then, policies and procedures need to be in place for the data protection officer and other stakeholders to follow the full lifecycle of the data erasure request. Finally, the DPO should maintain oversight of the effectiveness of every step of the way to the deletion and communicate timely to the data subject.