The Right to Be Forgotten – Ongoing Challenges of Data Privacy
The deadline for GDPR has come and gone, along with the late nights, new data privacy documentation and last-minute system tweaks. And aside from making sure that your company is not subject to a breach, and tightening up its data handling practices, the day-to-day operations of most businesses have remained mainly the same since the 25th May deadline.
So, what will the ongoing impact of the GDPR look like going forward? One of the main challenges we are seeing is in the correct handling of Article 17, or ‘the right to be forgotten’. This legislation is an excellent tool for consumers, especially for those who are concerned with the amount of data they have historically shared with different companies.
In reality, the majority of businesses have very limited experience in dealing with requests like these – a true and complete deletion of all relevant customer information. The written legislation sounds straightforward enough, however, when you consider that most companies don’t even erase contact data when a customer dies, the right to erasure needs careful consideration before being put into practice.
Starting with The Basics.
With a calendar month to complete each request, this might seem to most like plenty of time. However, with no real way of regulating erasure requests, the right to be forgotten has the ability to become a bottleneck for productivity within your workplace and can lead to data handling mistakes.
What can your company do to make sure you are prepared for the right to be forgotten?
Firstly, each request has a time-frame, and follows a simple template:
• Your company receives a written request quoting Article 17.
• You are required by law to respond to each request.
• You then have one calendar month to locate and delete all of their relevant data you hold on your systems.
As we mentioned, just because something sounds simple – it doesn’t make it easy. With strict deadlines to get compliant and impending heavy fines being most companies main focus, the right to erasure was often left on the ‘back-burner’ in GDPR strategy meetings: as something your company should explore in more detail – at a later date.
But if a poor or delayed response to a request will reflect badly on your business, how can you make sure you are prepared for your first case?
Avoid Reactionary Strategy.
Don’t wait for your first request to start creating the process around the right to be forgotten.
Analyse Your Systems and Make Sure They’re Up to Task.
Make sure that each system storing client data has the ability to correctly secure erase customer sensitive information, ideally without impacting any other aspects of the software. Consider the simple fact that secure erase takes time and may impact the user experience of the person completing the request.
Test-run and monitor any change in the speed of the programme and system environment, and make your team aware that any impact it may have when requests are completed.
Test and Invest in Your Customer Indexing Software.
Being able to search for nebulous data criteria (i.e. surnames, partial contact data and business specific reference numbers) with accuracy will lead to far quicker and more accurate data recovery.
With even the smallest businesses using multiple platforms to store related customer information, using an overarching indexing feature is a good way to make sure your searches are accurate and flag all relevant data with minimal chance of error.
Utilise Your Team.
Unless you have an appointed Data Protection Officer, then processing a right to erasure request will not naturally be at the top of any one person’s to-do list. Once the relevant data has been located and flagged, make sure to use a reliable member of staff to double-check for possible mistakes before going ahead with permanent deletion.
Patterns in data indexing errors will quickly make themselves known, which, in turn, should be fed back and used to improve your automated systems.
Make Your Approach Personal and Remember to Keep It Simple.
The right to be forgotten is entirely customer-led, which can ultimately be used to your advantage.
Respond immediately with a message of acknowledgement, and a clear time-frame as to when they can expect their confirmation of erasure. This sounds simple enough, however, if your process is reactive, your response can come across as sloppy and unorganised.
Most clients can spot a well-thought-out response, so be sure to leave the last impression of your company as pleasant and professional.
Market Yourself, Carefully.
As an entirely client-led process, instigating the right to be forgotten can be a unique opportunity to speak with a lapsed or otherwise obsolete customer base – no matter what the outcome, the impression your business makes during this contact can be used to your advantage.
Using deftly placed links in your email acknowledgement could actually add some traffic to your company website and request for services – if you use them carefully.
Although offering brazen discounts or up-selling your services is a turn off for customers who just want their data deleted, you can always make sure to highlight any positive feedback and add links to new and popular services or products that people might not have been aware of since they were last an active customer.
Lastly, Take the Opportunity to Clean Up.
Use the right to erasure as a reliable way to clean up your customer contacts and marketing databases. Like the rest of the GDPR, businesses can use this legislation in their favour and by removing all obsolete client data from your systems.
You will have a far more accurate insight into your honest customer base.
For more advice and guidance on GDPR compliance, call us on 0808 164 4142.