I have 33 pages of this to wade through to try and understand how to advise on a legal data retention, processing and marketing strategy.The ‘right to erasure’ is not an automatic right for individuals where processing is based on Legitimate Interests. However, this would be the case if Consent was the Lawful Basis. That said, even where the Controller relies on Legitimate Interests for the processing, an individual will still have the right to object to the processing of their Personal Data. The right to erasure would then apply if the Controller could not justify the legitimacy of the processing. Additionally, the right still applies when relying on Legitimate Interests where the Personal Data is no longer required for the purpose it was originally collected, or where the processing is found to be unlawful.
It is a bit strict. The actual penalties are up to £20m Euros, which is a death penalty for most companies. The ICO, who will be policing it, have hired 400 staff for prosecuting people, but some of the guidelines on how to actually comply won't be released by them until the end of this year, which will be too late. I'm working partly from a 3rd party estimate of how to comply.
Remember the millenium bug? That was easy to fix and we had years of warning and massive awareness campaigns. This is about ten thousand times more complex than the millenium bug and most people haven't heard about it yet. It won't break software, just make many companies' activities illegal and subject to huge punishments. It will be policed by a system of snitching, I believe.