Right to be Forgotten: 75% of employees likely to exercise rights under GDPR

  • Nearly half (48%) of business decision makers say that dealing with requests on this level will slow down their business, with 5% saying their business would grind to a halt
  • Only 1 in 3 firms have successfully conducted a Right to be Forgotten (RTBF) request
  • Board level staff most likely (73%) to request RTBF compared with 47% of junior management

Theale (UK) 1st December, 2017. New research by data security company, Clearswift, has shown that 75% of employees are likely to exercise their right to be forgotten (RTBF). The principle, also known as ‘right to erasure’, dictates that an individual can request their data to be removed or deleted when there is no compelling reason for a business to continue processing that information.

The research, which surveyed 600 senior business decision makers and 1,200 employees across the UK, US, Germany, and Australia, has revealed that the majority of employees will likely request that their data is deleted, something that 48% of business decision makers believe will have serious consequences for their business, slowing down productivity as resource is allocated to dealing with these requests. A small number of business decision makers (5%) even said that their organization would grind to a halt.

Although businesses are anticipating a drain on resources, this may still be underestimated, with a mere 34% of businesses successfully conducting a RTBF request so far. The Marketing/PR sector are least confident in handling RTBF, with only 23% stating that they could handle requests without any impact, whereas 50% of those in HR were sure of their abilities to handle this without issue.

Despite the well-established rhetoric on the board historically distancing itself from security, board level staff were by far the most likely to request erasure, with 73% saying they would be extremely or very likely to request the service.

Dr Guy Bunker, SVP Products at Clearswift, said: “RTBF is an extremely challenging aspect of GDPR. Organisations need to balance an understanding of the data landscape in the organization with a wider knowledge of the day-to-day practices within the business, including the possible pitfalls. For example, if businesses do not have a record of data duplication or are unaware of staff copying data, RTBF requests won’t be conducted correctly as not all data will be discovered.”

“Working with various departments that hold and process critical data to map storage locations and data flows will create that understanding. Even when the information goes outside the organization, this data is still your responsibility, so you need to know who you've shared it and through which communication channels so you can effectively execute a RTBF request. Likewise, incoming data from partners and suppliers may also be subject to an RTBF request. Deletion can then be carried out automatically based on policy, leveraging technology or manually.”

Interestingly, the desire for data erasure is far greater amongst those in the private sector (78%) when compared to those in the public sector (65%). A relaxed attitude towards data security is evidenced further by public/private sector opinion on cybersecurity breaches, with more than a quarter of public sector employees (28%) not worried by recent global cyber attacks compared with 17% in the private sector.

Bunker added, “Businesses and individuals also have to be aware that the right to erasure does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent processing in specific circumstances, but there are exceptions.

“Not all data is created equally, and some cannot be ‘forgotten’ on request. For example, you could not contact your local GP and ask for the right to be forgotten, because the practice would not be permitted to delete your information. Similarly, if you have purchased goods you cannot expect the transaction data to be deleted in an arbitrary manner.” 

Notes to editors:

This research was conducted by technology research firm, Vanson Bourne, on behalf of Clearswift. Over 600 business decision makers and 1,200 employees from the UK, US, Germany, and Australia were polled to map the attitudes of businesses and employees relating to cybersecurity.

About Clearswift:

Clearswift’s content-aware, policy based solutions enables defense, government, healthcare and financial services organizations across the globe to manage and maintain no-compromise data, email, cloud and web security.

MRB Public Relations
+1 732 758 1100

C8 Consulting
+44 118 334 0220