The GDPR: The SME approach to the ‘Right to be Forgotten’

In the last nine to twelve months, more small to medium sized businesses in the UK have begun to understand the GDPR and its ramifications. Now with just one year to go, those businesses are looking for a practical approach to preparing for the more challenging aspects of the legislation, in particular, the ‘right to be forgotten’ (RTBF).

Best known in connection with the EU ruling that residents can request outdated or irrelevant information about themselves be removed from search engine results, the GDPR directive will soon put similar requirements on all companies.  

From May 25th 2018 onwards, if a company is presented with an RTBF request, they will have 30 days in which to find that individual’s information and delete all records of it that are no longer being used for their original purpose, unless they are required to be held for other regulatory reasons.

Where to start?

GDPR data refers to personally identifying data for EU citizens. This includes anything from listed gender type to phone numbers and bank details.

This information will often flow through a complex data supply chain and the majority of small to medium sized businesses have no mechanisms to record where it is sent or saved, let alone which data should be kept or deleted.

Much of it will be in obvious places like CRM databases or employee HR system, however a lot will be more difficult to locate, such as files that are generated by reports, which people keep on their laptops or file servers. This is where the data supply chain starts to become messy, especially when taking into consideration the operations many businesses outsource, such as the bank details sent to a pensions provider, the contact lists sent to a telesales company or even the order form you’ve shared with your logistics provider via cloud applications such as Drop Box or Wii Transfer. Even when the information goes outside of your organisation, this data is still your responsibility, so you need to know who you’ve shared it with so you can make a corresponding RTBF request.

The first step any business should take is understanding how the GDPR’s requirements relate to any existing regulation the organization might be subject to. For example, PCI DSS (Payment Card Industry Data Security Standard) may be being complied with, in which case location and security of credit card numbers should be well defined. Once current regulations have been reviewed, you’ll be in a better position to conduct an information discovery audit to understand exactly what personal data you hold and where it can be found. Discovery should cover laptops, file servers and cloud based locations as well as database applications where a simple report can be run.

Putting a system in place

Furthermore, a business will need to map the data flows in and out of the organisation to build a picture of where the GDPR data is going and who it is going to. Ultimately, monitoring and scanning for critical GDPR information will highlight what a business is already doing, what needs to be done to become compliant,  and therefore where there are gaps. Compliance requires three different areas to be considered:

People are an organisation’s biggest strength and biggest weakness. They make mistakes, store information in the wrong place, and use shortcuts which frequently puts data out of control of the IT department. Companies need to understand how their employees share information, and look at education or awareness programmes, or cultural changes, to plug gaps.

Processes and associated policies, are not just about preparing for a RTBF request, but also defining the action a business will take when it gets one. There are other processes which will need to be updated and introduced in order to become compliant. Becoming compliant is really about good data governance and reducing risk, such as limiting who can access and share certain information, preventing information from leaving a network and creating contracts with suppliers dictating how they may use personal data.

Technology can help GDPR compliance by automating manual data protection processes, enforcing security policies, providing visibility of data flowing in and out of an organisation and protecting both the people and the business. Easy-to-use solutions are available to perform data-at-rest discovery scans, which will identify files containing GDPR data – whether they are on laptops, file servers or cloud collaboration sites. What’s more, adaptive security systems can be set up to automatically and consistently redact GDPR information out of any communications, based on policy, especially when it is leaving the organization. This helps avoid human error such as an email to the wrong person, whilst also saving a company redesigning many processes such as applications that automatically generate customer reports.

Better data governance, better business

Many businesses will see the right to be forgotten as additional hassle, requiring them to commit time and resources to seemingly unnecessary bureaucracy. Whilst time and resources are needed, GDPR is far from unnecessary; aiming to help individuals and businesses achieve good data governance, ultimately protecting customers and employees. For those who have had their information compromised, whether it is fraudulent use of a credit card, or full blown identity theft, the stress, hassle and financial loss caused are reasons to applaud GDPR for taking a tough stance.

Compliance will have a positive knock on effect on a business’ success, most notably the improved trust with existing and prospective customers and clients, as well as any partners – a significant factor in the ability for a business to grow. By implementing the right processes and policies, and strengthening this with certain technologies, businesses will be well on the way to being GDPR compliant and ready for that first RTBF request.

Dr Guy Bunker, SVP of Products at Clearswift.

Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.