Most employees are likely to exercise their right to be forgotten (RTBF), under the general data protection regulation (GDPR) that comes into force across the EU in May 2018, according to a data security company’s survey. The principle also known as ‘right to erasure’ dictates that an individual can request their data to be removed or deleted when there is no compelling reason for a business to continue processing that information.
The survey by Clearswift, of 600 senior business decision makers and 1,200 employees across the UK, US, Germany and Australia, found that the majority of employees will likely request that their data is deleted, something that 48pc of business decision makers believe will have serious consequences for their business, slowing productivity as resource is allocated to dealing with these requests. A small number of business decision makers (5pc) even said that their organisation would grind to a halt.
Although businesses are anticipating a drain on resources, this may still be underestimated, with a third (34pc) of businesses successfully conducting a RTBF request so far. The Marketing/PR sector are least confident in handling RTBF, with only 23pc stating that they could handle requests without any impact, whereas half of those in HR were sure of their abilities to handle this without issue.
Despite the opinion on business boards distancing themselves from security, board level staff were by far the most likely to request erasure, with 73pc saying they would be extremely or very likely to request the service.
Dr Guy Bunker, SVP Products at Clearswift, said: “RTBF is an extremely challenging aspect of GDPR. Organisations need to balance an understanding of the data landscape in the organisation with a wider knowledge of the day-to-day practices within the business, including the possible pitfalls. For example, if businesses do not have a record of data duplication or are unaware of staff copying data, RTBF requests won’t be conducted correctly.”
“Working with various departments that hold and process critical data to map storage locations and data flows will create that understanding. Even when the information goes outside the organisation, this data is still your responsibility, so you need to know who you’ve shared it and through which communication channels so you can effectively execute a RTBF request. Deletion can then be carried out automatically leveraging technology, or manually.”
A desire for data erasure is far greater among those in the private sector (78pc) compared to those in the public sector (65pc), a relaxed attitude towards data security that is evidenced further by public/private sector opinion on cyber security breaches, with more than a quarter of public sector employees (28pc) not worried by recent global cyber attacks compared with 17pc in the private sector.
Bunker added: “Businesses also have to be aware that the right to erasure does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent processing in specific circumstances, but there are exceptions for certain sectors. Not all data is created equally, and some cannot be ‘forgotten’ on request. For example, you could not contact your local GP and ask for the right to be forgotten, because the practice would not be permitted to delete your information. Similarly, if you have purchased goods you cannot expect the transaction data to be deleted in an arbitrary manner.”
