GDPR: The right to be forgotten

Any new business legislation can be a minefield.

But the upcoming General Data Protection Regulation (GDPR) legislation from the European Union (EU), due to come into force this May, is causing maximum confusion for businesses across the UK as they struggle to get to grips with what the new laws will mean for them and their IT infrastructure.

It has seen a flurry of activity around the legislation in the form of whitepapers, think tanks being set up, and conflicting advice on social media channels over what exactly companies should be doing to ensure they are complicit with these new laws.

Brexit has also thrown a spanner in the works, but the legislation is definitely coming into force in the UK this year, regardless of the eventual outcome.

Included in GDPR is a sub-clause on the Right to Be Forgotten (RTBF), which allows individuals to request that any records held on them by a company are permanently deleted.

For many firms, this could include both their customers and their own employees, so it is something that cannot be ignored, and will probably require some IT infrastructure evaluation on their part at the very least.

The RTBF was first mooted in 2014, after a Spanish man named Mario Costeja Gonzalez suffered financial problems and had to put a property up for action, the details of which went online after being covered by a newspaper.

Despite the auction happening 16 years prior to 2014, it constantly came up under searches of his name, and he argued it was damaging his reputation and requested it was removed from Google’s search results. The EU Court of Justice agreed, setting the RTBF precedent.

Of course, there are exceptions with RTBF, but the waters are very muddy over what these exceptions actually are, and there are also plenty of counter arguments about exactly what information on individuals should be deleted, particularly if they have featured in the media for criminal activity such as fraud. The public still has a right to know a person’s history if it is going to have an impact on them in the future.

However, most firms will be asking several questions. Does this really affect us? How much will it cost to implement the technology needed to carry out the requests? Will it require a dedicated member of staff? How much will it slow down our actual business?

A survey commissioned by security vendor Clearswift and carried out by research house Vanson Bourne, questioned 600 senior business decision makers and 1,200 employees across the UK, US, Germany and Australia in December 2017.

In total, 48 per cent of business decision makers surveyed felt the RTBF legislation would slow down productivity, as they would be forced to allocate resources to deal with the requests. Worryingly, five per cent felt their organisation would grind to a halt as a result.

Furthermore, 75 per cent of employees questioned said they would be ‘likely’ to exercise their right to be forgotten. The results also revealed that the desire for data deletion is greater in the private sector (78 per cent) compared with the public sector (65 per cent).

To ensure they are prepared for RTBF, all companies must take greater care of the data they hold. They have valuable and intensely sensitive data at their fingertips which needs to be protected.

They should consider investing in proper automation and monitoring solutions to ensure any data they hold is fully traceable – so they know where it has been shared and are able to carry out a RTBF request if needed. They must keep up-to-date with data duplication policies and know which employees are sharing data and on what platforms, whether it is via social media or blogs, for example.  They must also ensure any data they hold is kept secure – or face a potentially crippling fine under the new EU law.

With the right guidance, the investment in future-proofing a business against both GDPR and RTBF needn’t be extortionate, but it is not something that can be ignored, and it is always safer to be primed for action rather than risk being caught off guard when the new legislation comes into force.

 

By Bill Griffiths, Marketing Manager, SCC

 


The inaugural Data Protection World Forum (DPWF) will be held on November 20th & 21st 2018 at the ExCeL London which will provide a broader focus across the data protection and privacy space amidst the progressive tightening of global data protection laws.

Ahead of the end of year event, DPWF has launched a series of intensive workshops.

Further information on the DPWF and workshop details are available at: https://www.dataprotectionworldforum.com/