Up to 37 million people in the UK could ask for their personal data to be edited or deleted after GDPR

71 per cent in Crown Records Management survey say they will take up ‘right to be forgotten’

British businesses could be overloaded by up to 37 million requests for personal data to edited or deleted when a new regulation comes into force in May – according to results from a national survey.

The EU General Data Protection Regulation, which comes into force on May 25, will give EU citizens greater rights over their personal data.

This includes a right to ask for their data to be edited or deleted as part of a so-called ‘right to be forgotten’ or, as the regulation puts it, ‘right to erasure’. Now businesses are bracing themselves for exactly what this means – and how much it will cost them.

A survey by Crown Records Management, global information management experts, has revealed some remarkable results when it comes to how many people could ask for their data to be removed or altered in future.

The results, after more than 2,000 members of the general public were polled by Censuswide across the country, revealed 71 per cent said they would (either definitely or possibly) ask a company to edit or delete their data when the new regulation comes into force. In an adult UK population of 52.6 million this could result in 37.3 million requests. 25 per cent said they would definitely ask for data to be edited to deleted – which amounts to 13.15 million requests. Only 8 per cent gave a straight ‘no’ when asked if they would want data edited or deleted.More than 34 per cent of 25-34 year-olds said they would definitely ask for their data to be edited or deleted.More than half of directors said they would definitely ask for their personal data to be changed or removed..

David Fathers, Regional Manager at Crown Records Management said: “We were all aware that the public is increasingly interested in how their personal data is used and increasingly aware of its value and the dangers of its misuse.

“But for so many people to indicate they will ask for data to be edited or deleted will come as a shock to many businesses.

“Even if only the 25 per cent who answered ‘definitely’ follow through with that intention then we could be looking at more than 16 million requests – which is an eye-watering figure.

“The likelihood is that the number of requests will in reality be fewer -what people say they will do and what they actually action is often different. But the results show that the data climate is changing and should nevertheless be a warning to businesses of what lies ahead.”

GDPR will also bring with it huge fines for busineses which fail to comply with regulations and suffer data breaches – up to 4 per cent of global turnover or 20m Euros, whichever is greater.

The UK, which will still be part of the European Union when the regulation comes in, is already preparing legislation to mirror it after Brexit, so there will be no escape for UK businesses.

In fact, GDPR applies to any business which holds the personal data of European citizens regardless of where they are based.

David Fathers added: “This regulation is going to affect virtually all businesses of all sizes in the UK and this survey shows how big its impact could be . Companies should already know what data they have, where it is, how it can be accessed and how it can be edited. But the GDPR regulations will make this mandatory. A full data audit now before the regulation comes in is the very minimum required to start the preparation process.

“There are also significant budget implications to consider if they are going to cope with the volume of requests which come their way. You have only to look at the impact that Freedom of Information Requests have had on some businesses and public bodies to know that this may require an entire new department to help deal with the issue.”

What type of data will people ask to be edited or deleted?

1 Financial, banking and credit card information, 68 per cent

2 Data held for marketing and mailing lists, 66 per cent

3 Name, address, email address, 56 per cent

4 Health and medical data, 56 per cent

5 Basic personal information, e.g. name, address, date of birth, 53 per cent

6 Credit rating, 53 per cent

7 Shopping and purchasing history, 52 per cent

8 Date of birth, 46 per cent

9 Membership of organisations or political groups, trade unions etc., 45 per cent

10 Performance history at work, e.g. appraisals, 44 per cent

11 Sexual orientation, 36 per cent

12 Racial or ethnic origin, 34 per cent

13 Criminal record, 34 per cent

GDPR Summit Series is a global series of GDPR events which will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.

Further information and conference details are available at http://www.gdprsummit.london/