Forget-me-not: how to cope with the right to be forgotten

By Robert Rutherford, CEO, QuoStar

In a landmark case, a businessman has just won the right to have search results regarding a historical crime removed from Google. This will not be the last example of a ‘right to be forgotten’ claim taking place, especially as the General Data Protection Regulation (GDPR) comes into effect on May 25. With less than a month to go, small enterprises need to recognise the changing nature of data protection requirements under this regulation and ensure they can respond.

Rights under GDPR

For those unfamiliar, the right to be forgotten allows customers, clients and employees to request their information to be removed from a company’s system. While customers may request entire categories of data be removed – such as their purchase history – they also retain the right to request individual data points to be deleted as well – such as a single email or phone number. It goes without saying that the wide variety of information clients may request to be deleted could put a massive strain on any SMEs that haven’t prepared.

However, the right to be forgotten is not the only element of GDPR that will affect how customers interact with the business. The right to be informed is also set to impact the company. According to these rules, should data undergo any type of change – whether the company is simply updating its method of storing information or has fallen victim to a cyber-attack – the business must inform the clients that are affected.

The freedom that businesses have previously had with client data will undergo a major change as well. Under the GDPR, customers now need to ‘opt in’ to their data being used by the company, which is likely to reduce that amount of client data that SMEs are used to holding.

Recognising the challenges

Even if companies are aware of these changes, it can be difficult to understand how they will impact the business. The right to be forgotten has the potential to bring client services grinding to a halt as companies struggle to respond to customer requests. The obvious response to this is ensuring the correct controls are in place. Having a back-end system that can pull up a client profile, identify the data points that need to be removed, and delete them without disrupting the system is a vital first step in mitigating the challenges that come with compliance.

Aside from technology, there needs to be a focus on communication. From a client-facing perspective, a company’s terms and conditions will require an overhaul to meet GDPR’s right to be informed. However, staff also need to recognise the importance of clear communication – especially in escalating a data breach or external threat to the company’s Data Protection Officer (DPO).

Under GDPR, any business that does not notify the Information Commissioner’s Office (ICO) within 72 hours of an attack will be found non-compliant, which could result in a fine of €20 million or 4% of the annual turnover – whichever is higher. A robust data management system, combined with a comprehensive understanding from staff, will be essential for avoiding these risks

Dealing with it

Even with these new customer rights to contend with, business leaders should not feel they are unable to manage the day-to-day. Although the right to be forgotten will impact the way information is stored and shared, it should not stop an SME’s regular operations. If the data requested for deletion is required to receive a specific product, such as an e-newsletter, the client will effectively be terminating that service by asking for their email address to be removed.

Communication will be vital here. Ensuring that clients are aware of how their data is used to provide the services they receive will help improve the understanding of why the business needs that information. This, in turn, will help manage the number of erasure requests and promote a more transparent relationship with the client.

While GDPR will inevitably change the way that SMEs work with their customers, it is by no means an impossible challenge. Ahead of 25th May, companies need to ensure that customers have an understanding of their rights and understand how any changes to their data will affect their interaction with the business. With clear communication and the right technology in place, SMEs can ensure compliance and maintain a beneficial relationship with their clients.