New rules are coming, and people may well want to use them.
Thanks to GDPR, the way companies manage personal data is being brought firmly into the light. There’s still some way to go before the new rules become common knowledge, but as more and more people realise what their rights are, there could be an increase in those who want to exercise them – not least the right to be forgotten. That could potentially spell big trouble for small businesses.
Just this week, Google revealed it’s had to deal with more than 2.4 millions requests for search results to be deleted since the right to be forgotten was introduced into EU law in 2014. Out of those, 43% were delisted, while the rest presumably didn’t meet the criteria that determines whether Google complies with the requests or not.
That’s an enormous number of requests to sift through – far more than the average SME would be able to deal with. Yet even smaller businesses will have to respond to right to erasure requests after the GDPR deadline passes on 25th May. How can they possibly cope?
Good News And Bad News
The good news is it’s highly unlikely SMEs will have to deal with anything like 2.4 million requests. In fact, considering the vast amount of data Google serves up to web surfers every day, the number of right to be forgotten requests so far seems relatively low.
But every silver lining is attached to a much larger cloud, and in this case the cumulonimbus in question is none other than GDPR. According to research by media agency the7stars, 34% of people in the UK intend to exercise their right to be forgotten when the GDPR kicks in. Obviously, that leaves 66% who won't be making erasure requests, but if the requests all come at the same time, businesses could find themselves swamped.
Yet people don't have to wait for the GDPR deadline at all. Under the existing Data Protection Act (DPA), they already have similar rights. "Individuals have “a right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed,” says the Information Commissioner's Office. So why wait until 25th May to exercise the right to be forgotten?
A couple of reasons spring to mind. For a start, they might not know what their rights are under the DPA, and therefore may not realise the right to erasure is already on the table.
It’s also possible that some of the7star’s respondents simply weren’t that bothered about their personal data before this study (especially if they were among the 70% of people who hadn’t even heard of GDPR at the end of 2017). Start asking them questions about it in a survey, though, and it’s not exactly surprising that many of them would suddenly feel an overwhelming desire to get their personal data in order.
A similar thing could happen outside of this study, as word continues to get out about GDPR; people may want to exercise their right to be forgotten simply because they’ve just heard about it. If that happens, businesses of all sizes may have to deal with an increased number of erasure requests, and those not prepared for it could struggle.
Should You Be Worried?
As scary as that sounds, there are still reasons to be hopeful.
For example, even if there is an increase in erasure requests in the wake of the GDPR deadline, it’s possible that after an initial spike, the novelty could wear off, causing the situation to level out. That could mean maybe a few painful months of dealing with such requests, before everything returns pretty much to normal.
And that’s if there’s any major increase in erasure requests at all. The results from the7stars survey suggests there will be, but these come from asking people if they intend to exercise this right or not. Naturally, some of them are going to say yes. Outside of such a study, there’s nothing to say people will actually bother to exercise their rights – not in significant enough numbers to be a problem at least.
Also, of the 34% who said they would take advantage of their data protection rights, how many of them were thinking of data held by big companies like Google, rather than SMEs?
Preparing For The Right To Be Forgotten
Despite all the uncertainty, panicking is the last thing you should do. Some people would like you to think there’s going to be a huge GDPR meltdown come 25th May, and that you’re going to be buried under data requests from day one, but the truth is likely to be less dramatic than that.
The ICO, which will be enforcing GDPR, doesn’t intend to punish businesses unreasonably. Its focus has always been on guidance and education, and that won't change under GDPR. The power it has to issue fines is very real, but it's made it clear that financial punishments will be the last resort.
Bearing that in mind, it seems likely that if small businesses were to suddenly find themselves flooded with GDPR requests, the ICO would do its best to help them.
It's also important to remember that the right to be forgotten is not absolute. The ICO states, "The right to erasure does not provide an absolute ‘right to be forgotten’." That means certain conditions have to be met before you're required to delete people's personal data.
That said, GDPR is coming, and businesses should take it seriously. That means being aware of what personal data you hold, where it's stored and so on (we recommend reading the ICO's official guidance if you're unsure).
And as we've said before, you should only be worried if you're doing nothing.