A step forward for data rights: understanding the Data Deletion Request Framework

The context  

Since GDPR came into force in May 2018, individuals in the UK and EU have had the right to request the deletion of their personal data when it’s no longer needed for processing. Sometimes referred to as the ‘right to be forgotten’, it crucially mandates that organisations contact any recipient that they have shared personal data with upon receiving a request in order for them to also delete the data in question. 

This massively simplifies the process for an individual wishing to limit the spread of their personal data. Having said this, it also poses a potential challenge to the wider data handling ecosystem as, unless an exemption is provided, deletion requests must be completed within one month. Considering the vast amount of data sharing that occurs, particularly within digital advertising, this deadline can be too short, leading companies to fall short of fulfilling the request. 

The data deletion landscape has changed over recent years with requests becoming increasingly common, particularly against the backdrop of high profile cases of data acquisition and data leaks. Examples of this include the purchase of 23andMe and the recent cyber attacks on businesses where user data were leaked at scale. As a result, it’s more important than ever for the industry to standardise a framework that expediates the process of data deletion in order to deal with this increased demand. 

What DDRF does 

This is where the IAB Tech Lab’s Data Deletion Request Framework (DDRF) comes in – and why its recent endorsement by the UK Information Commissioner’s Office (ICO) is a positive development. 

The DDRF sets out a standardised way for companies to structure and transmit data deletion requests. It doesn’t change the legal obligations - but it does make it significantly easier for organisations to meet them. By replacing ad hoc, manual processes with a consistent technical framework, the DDRF enhances efficiency, reduces room for error and increases accountability across the ecosystem. 

The ICO itself has acknowledged the value of the framework, highlighting its potential to improve how third-party organisations in the ad supply chain handle deletion and withdrawal requests.  

Why DDRF matters  

By utilising the interoperable framework of DDRF, companies in the supply chain can feel much more comfortable that they’re complying not only with GDPR, but also with a number of localised laws that also afford this right. More importantly, however, is the increased confidence that users can now have when interacting with digital advertising in the knowledge that they have more agency over their personal data. GDPR may have afforded the right, but DDRF provides the means to easily implement it; standing to create a more equitable and sustainable digital advertising environment for everyone. 

Find out more about the Data Deletion Request Framework via IAB Tech Lab.