Is your business ready for the right to be forgotten?
There are less than three months until the European Union’s General Data Protection Regulation (GDPR) comes into force.
One of the main aims of the data protection reforms is to provide people with more control over their personal information and how it is used. But research by Solix suggests that organisations aren’t prepared for the ‘right to be forgotten’.
In fact, two thirds (66%) of those surveyed admitted they are unsure if an individual’s personal information would be completely removed from all of their systems, forever.
But what is the right to be forgotten?
Kefron notes that this term, which has now been watered down to ‘the right to erasure’, dictates that individuals can request for their data to be removed or deleted when there is no compelling reason for a business to continue using that information.
Article 17 of the GDPR explains that individuals can request data controllers to erase or prevent further processing of their personal information in certain circumstances. This includes instances such as:
- Personal data is no longer necessary or relevant in relation to the purposes for which it was originally collected
- The individual withdraws their consent to processing (and if there is no other justification or legitimate interest for continued processing)
- Personal data has been unlawfully processed, in breach of GDPR
- The data must be erased in order for a controller to comply with their legal obligations, this could include deleting certain data after a set period of time.
The data controller will be responsible for deleting or removing data “without undue delay” when requests meet these conditions and, unless specific circumstances apply, data will need to be erased within a month of the request.
However, the right to erasure can be refused when:
- Exercising the right of freedom of expression and information
- To comply with legal obligations or official authorities
- For public health reasons or the performance of a public interest task
- For archiving purposes in the public interest, scientific or historical research, or statistical analysis
- When exercising or defending legal claims.
Worryingly, Solix’s survey also uncovered that less than half (43%) of businesses have a defined process for the methodical deletion of records and confirmation checks, ZDNet reported.
What’s more, the overwhelming majority (82%) of respondents are unsure where they store the most sensitive personal data, while just 55% revealed they audit trails for data consents, collections updates, and deletion. These results suggest many businesses could find themselves being deemed non-GDPR compliant if they do not act now.
Commenting on the findings, executive chairman of Solix, John Ottman, said: “Based on our survey data, it’s clear that the majority of organisations are not currently prepared to meet GDPR requirements.
“There is an urgency to take steps now as the enforcement deadline quickly approaches and applies to anyone who is currently operating with EU customers.”
3 Step IT comment
We hosted a webinar on February 13th 2018, covering the topic of GDPR: 3 Building Blocks.
- Data inventory mapping
Knowing what data you have, where it is and how to access it
- Data sanitisation
Building a framework for the right to be forgotten and how to apply data sanitisation to ensure reliable data erasure
- Information security and control
The importance of having an IT asset inventory to maintain control over data and to create an audit trail, as part of your GDPR accountability
In the webinar we asked the audience 3 questions and it's interesting that the findings mirror those in the Solix survey:
1. Do you have a data inventory?
67% responded ‘No’
2. Do you have a process in place that will give the individual who asked to be forgotten proof it has been done?
74% responded ‘No’
3. Do you know where all your devices are, who is using them and what is on them?
43% responded ‘No’
Take the next step towards GDPR compliance, watch our webinar.