BDMs: GDPR ‘Right to be Forgotten’ Requests Will Drain Company Resource
New research has revealed that three-quarters of employees will be likely to exercise their right to be forgotten (RTBF) under GDPR when it comes into force in May 2018.
The principle, also known as ‘right to erasure’, stipulates an individual’s right to request for their data to be removed or deleted if there is no genuine reason for a company to continue to withhold it.
Clearswift polled 600 senior business decision makers and 1200 employees across the UK, US, Germany and Australia to gauge the impact of dealing with RTBF requests. Almost half (48%) of business decision makers said processing them will have serious consequences for their organization, impacting productivity speeds as resources are allocated to deal with them. What’s more, 5% actually said RTBF requests would 'grind their organization to a halt'.
Interestingly, Clearswift discovered that board level staff were more likely to request RTBF than junior management.
“RTBF is an extremely challenging aspect of GDPR,” said Dr Guy Bunker, SVP products at Clearswift. “Organizations need to balance an understanding of the data landscape in the organization with a wider knowledge of the day-to-day practices within the business, including the possible pitfalls.
“Working with various departments that hold and process critical data to map storage locations and data flows will create that understanding. Even when the information goes outside the organization, this data is still your responsibility, so you need to know who you've shared it with and through which communication channels so you can effectively execute a RTBF request.”
However, despite businesses expecting RTBF requests to drain their resources, just 34% of them had carried one out thus far, suggesting some guess work about how much of an impact they might/might not have.
“Businesses also have to be aware that the right to erasure does not provide an absolute ‘right to be forgotten’,” Bunker added. “Individuals have a right to have personal data erased and to prevent processing in specific circumstances, but there are exceptions for certain sectors.
“For example, you could not contact your local GP and ask for the right to be forgotten, because the practice would not be permitted to delete your information. Similarly, if you have purchased goods you cannot expect the transaction data to be deleted in an arbitrary manner.”
Source: Information Security Magazine