Firms Already Swamped by Right to be Forgotten Requests

Nearly half of IT professionals were asked by customers to remove outdated or irrelevant personal data from the web in the past year, but many lack the technology and processes to do so, according to a new study.

Blancco Technology Group (BTG) interviewed over 500 IT pros in North America, the UK, Malaysia, Germany, Singapore, Australia and Mexico to better understand levels of preparedness for the European General Data Protection Regulation (GDPR).

The resulting report, EU GDPR: A Corporate Dilemma, reveals many organizations are still a long way from compliance, despite the imminent ratification of the regulation—which applies to all companies with European customers.

BTG found that of the 46% of IT professionals asked by customers to remove data in the past 12 months, 41% don’t have the correct processes, documentation or technology in place to do so.

This means they aren’t in a position to comply with the key “right to be forgotten” element of the regulation.

Awareness of the EU GDPR stands at 48%, but 40% of respondents said they’re not fully prepared for compliance. In addition, 60 percent said it would take their organization up to 12 months to get to the stage where they can perform a “right to be forgotten” audit, while 25% didn’t know how long it would take.

Data erasure software (48%), encryption key removal tools (26%) and malware removal tools (10%) are seen as the most valuable to ensure GDPR compliance, the report claimed.

BTG CEO Pat Clawson told Infosecurity that one of the biggest compliance challenges will be documentation.

“If you talk to organizations right now, you’ll find that very few have complete documentation for all of their corporate, customer and employee data. So all the data that employees are creating, transferring and sharing via their computers, mobile devices, the cloud and USB drives isn’t fully accounted for,” he said.

“Because all the data isn’t accounted for, it’s going to require them to do a complete audit immediately before they can even begin evaluating third party tech and software vendors and hiring consultants to devise an end-to-end data lifecycle management program.”

Documentation will be especially important for the right to be forgotten and breach notification requirements of the GDPR, Clawson added.

He advised IT leaders to begin the compliance process with a complete review and audit of all different forms of data being created, stored, processed and transferred by the organization.

“Second, I would strongly urge IT departments to take monitoring third party supplier risk levels very seriously. Organizations need to take direct accountability for monitoring third party suppliers—including conducting unannounced visits/checkups and requesting documentation from them on defined internal processes and staff who are granted access to the corporate data,” Clawson argued. 

“Finally, I would encourage organizations to embed transparency into everything they do. This includes considering how they’ll provide ‘positive consent’ from customers and provide regular communication about the stats and use of personal data.”

If inaccuracies do occur, they should be communicated and confirmation sent that relevant corrections have been made. When changes to data collection and removal processes occur, organizations should also let their customers know in a timely manner, Clawson argued.

Photo © jdwfoto

What’s Hot on Infosecurity Magazine?