Data security company Clearswift has published survey results which suggest 75 per cent of employees are likely to exercise their right to be forgotten (RTBF). The principle also known as ‘right to erasure’ dictates that an individual can request their data to be removed or deleted when there is no compelling reason for a business to continue processing that information.
The research, which surveyed 600 senior business decision makers and 1,200 employees across the UK, US, Germany and Australia, has revealed that the majority of employees will likely request that their data is deleted, something that 48 per cent of business decision makers believe will have serious consequences for their business, slowing down productivity as resource is allocated to dealing with these requests. A small number of business decision makers (five per cent) even said that their organisation would grind to a halt.
Although businesses are anticipating a drain on resources, this may still be underestimated, with a mere 34 per cent of businesses successfully conducting a RTBF request so far. The Marketing/PR sector are least confident in handling RTBF, with only 23 per cent stating that they could handle requests without any impact, whereas 50 per cent of those in HR were sure of their abilities to handle this without issue.
Despite the well-established rhetoric on the board historically distancing itself from security, board level staff were by far the most likely to request erasure, with 73 per cent saying they would be extremely or very likely to request the service.
“RTBF is an extremely challenging aspect of GDPR,” said Dr Guy Bunker, SVP Products at Clearswift. “Organisations need to balance an understanding of the data landscape in the organisation with a wider knowledge of the day-to-day practices within the business, including the possible pitfalls. For example, if businesses do not have a record of data duplication or are unaware of staff copying data, RTBF requests won’t be conducted correctly.
“Working with various departments that hold and process critical data to map storage locations and data flows will create that understanding,” he added. “Even when the information goes outside the organisation, this data is still your responsibility, so you need to know who you've shared it and through which communication channels so you can effectively execute a RTBF request. Deletion can then be carried out automatically leveraging technology, or manually.”
Interestingly, the desire for data erasure is far greater amongst those in the private sector (78 per cent) when compared to those in the public sector (65 per cent), a relaxed attitude towards data security that is evidenced further by public/private sector opinion on cyber security breaches, with more than a quarter of public sector employees (28 per cent) not worried by recent global cyber attacks compared with 17 per cent in the private sector.
Bunker notes: “Businesses also have to be aware that the right to erasure does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent processing in specific circumstances, but there are exceptions for certain sectors.
“Not all data is created equally, and some cannot be ‘forgotten’ on request. For example, you could not contact your local GP and ask for the right to be forgotten, because the practice would not be permitted to delete your information. Similarly, if you have purchased goods you cannot expect the transaction data to be deleted in an arbitrary manner,” he concludes.