GDPR's Right to Be Forgotten: Didit-Integrated Data Erasure

Understanding the Right to Be ForgottenGDPR Article 17 grants individuals the right to have personal data erased without undue delay, a critical aspect of data privacy compliance.

Configurable Data Retention PoliciesDidit allows businesses to define automated data retention periods from 1 month to 10 years, or unlimited, directly from the Business Console, ensuring data is not held longer than necessary.

Manual Session Deletion for Specific RequestsFor immediate or specific erasure requests, Didit provides a straightforward manual deletion process within the Business Console, enabling precise compliance with individual requests.

Didit's Role as a Data ProcessorDidit acts as a data processor, supporting data controllers in meeting their GDPR obligations through flexible tools and a privacy-first approach, including in-country processing options.

The Mandate of the Right to Be Forgotten (GDPR Article 17)

The General Data Protection Regulation (GDPR) has profoundly reshaped how businesses handle personal data. Among its most significant provisions is the 'Right to Be Forgotten,' or the 'Right to Erasure,' outlined in Article 17. This article empowers individuals to request the deletion of their personal data under specific circumstances, such as when the data is no longer necessary for the purpose for which it was collected, or when the individual withdraws consent. For organizations, this isn't just a suggestion; it's a legal obligation that requires robust systems and processes to ensure compliance.

Implementing this right can be particularly complex for systems that handle sensitive identity verification data. Identity verification services, by their nature, collect and process a wealth of personal information, from names and addresses to biometric data and document images. Ensuring that this data can be accurately and completely erased upon request, while still maintaining necessary audit trails or complying with other legal obligations, presents a significant technical and operational challenge. A failure to comply can result in substantial fines and damage to reputation.

Configuring Automated Data Retention with Didit

One of the most effective strategies for complying with the Right to Be Forgotten is to implement proactive data retention policies. By automatically deleting data that is no longer needed, organizations can significantly reduce their compliance burden and minimize the risk of holding onto data unnecessarily. Didit, recognizing this critical need, provides flexible and configurable data retention controls directly within its Business Console.

As a data processor, Didit empowers you, the data controller, to define how long verification data is stored. Users can navigate to Business Console → App Settings → Data and select a retention window ranging from 1 month to 10 years, or even choose 'unlimited' if specific regulatory requirements dictate. This policy applies comprehensively to all verification inputs and outputs, derived results, and operational metadata. This feature ensures that your identity verification data aligns with your internal policies and regulatory obligations, automatically reducing data footprints over time and simplifying erasure compliance.

For enterprise accounts with specific data residency requirements, Didit also offers in-country processing options, further strengthening compliance with local data protection regimes like GDPR.

Addressing Individual Erasure Requests: Manual Deletion

While automated retention policies handle data at scale, the Right to Be Forgotten often involves specific, individual requests for data erasure. These requests require a precise and auditable method for deleting particular user sessions. Didit's platform is designed to facilitate this with a straightforward manual deletion process.

When an individual exercises their right to erasure, you can easily locate and delete their specific verification session within the Didit Business Console. By navigating to Dashboard → Verifications, you can search or filter for the target session. A prominent 'Delete' button allows for immediate removal of the session data, with a confirmation step to prevent accidental deletions. This capability is crucial for responding promptly and effectively to individual data subject requests, demonstrating a commitment to data privacy and regulatory adherence. This granular control over data erasure complements the broader retention policies, providing a comprehensive approach to data lifecycle management.

How Didit Helps with GDPR Compliance

Didit is an AI-native, developer-first identity platform built with compliance and privacy at its core. Our modular architecture and robust features are specifically designed to help businesses meet stringent data protection requirements, including the GDPR's Right to Be Forgotten, without incurring setup fees. Didit acts as a data processor, empowering you to remain the data controller, making it easier to manage your data privacy obligations.

Our configurable data retention policies, accessible via the Business Console, allow you to set automatic deletion schedules for all verification data, including details from our ID Verification, Passive & Active Liveness, and AML Screening services. This ensures that personal data is not retained longer than necessary, aligning with the principle of data minimization. For specific erasure requests, the manual session deletion feature provides the necessary tools for targeted, immediate compliance. Furthermore, Didit's commitment to data residency, including in-country processing for enterprise clients, supports adherence to local data protection laws. With Free Core KYC, Didit offers an accessible yet powerful solution for managing identity data responsibly and compliantly.

Ready to Get Started?

Ready to see Didit in action? Get a free demo today.

Start verifying identities for free with Didit's free tier.