The General Data Protection Regulation (GDPR) becomes law across the European Union from May 25 2018. One important aspect of GDPR, as far as EU citizens are concerned, is the right to be forgotten. This means that individuals have the right to ask for any of their personal data which is held by a business or organisation to be deleted. This does not necessarily mean that the business or organisation will have to comply, if there is a legally valid reason for them to continue to process the data.
The British public and GDPR
In many cases a request to be forgotten will result in personal data having to be deleted. This could be an onerous task for businesses and organisations in the UK, if the results of a survey by the7stars is anything to go by. The independent media agency conducted the survey to gauge people’s reactions to the new regulation.
Although many UK citizens do not fully understand the implications of GDPR stipulations (75% wanted more clarification from government), 34% of respondents did say that they would exercise their right to be forgotten. This is understandable given the amount of personal data that is collected in every aspect of life; from shopping online to using social media and even signing up for tempting offers.
There were some positive results from the survey; with 58% of those questioned saying that they thought GDPR was a change for the better, in the world of data protection, and 32% of respondents saying they would trust businesses and organisations more once the new rules were in force. This could be good news for those businesses that comply with GDPR requirements.
However, it could also have the opposite effect for any business or organisation that does not comply. The UK already takes data protection seriously, and the Independent Commissioner’s Office (ICO) is a respected body. However, the implementation of GDPR rules is high profile, and is set to tighten up processes even further. Any business or organisation that does not comply with the new laws could see itself facing a glare of publicity. This could only be detrimental for the ongoing success of that businesses or organisation, both financially and reputational.
From a financial point of view, the ICO has the right to impose fines on any business or organisation that is found to be non-compliant. As the Data Protection Authority (DPA) for the UK, the ICO can determine the levels of fines to be imposed but is expected to liaise with other DPAs across the EU and refer to recommendations made by the Article 29 Working Party.
Aside from the obvious financial disadvantages of not complying, businesses could also find their reputations being seriously damaged. This includes businesses who do not comply with an individual’s request to be forgotten even though they have no legitimate reason for continuing to hold and process the data.