As the proposed new EU Data Protection Regulation continues its complex and long journey through the European Union’s governing bodies, signs are that the legal landscape is changing. Nowhere is this seen more clearly than in the case of Article 17, the ‘right to be forgotten and to erasure’. Under Article 17 an individual will be able to ask an organisation it has dealt with to delete all record of the relationship permanently. Unless the firm can prove it still needs the data for the purposes for which is was collected in the first place, it will have to comply.
The draft Data Protection reforms were drawn up in 2011, the year in which research showed that seven in ten Europeans were deeply worried about organisations holding on to their personal details and felt they had little if any control over what the organisation did with that information[i]. But after three busy years of online shopping, banking and social media sharing later, consumer attitudes appear to have evolved.
On the whole, consumers today seem more relaxed about sharing their personal details, perhaps because they have seen some genuine benefits in terms of more relevant offers or tailored recommendations. They also appear more complacent. Many are not sure whether getting their details erased would be worth the effort of tracking it all down. However, they also seem less trusting of brands’ intentions and actions. While people are growing more aware of what their personal information could be worth, most doubt that a company would honour a request to delete it.
We know this because we asked them. Our study[ii], undertaken in the UK, France, Germany, the Netherlands and Spain, found that an overwhelming 88 per cent of adults say they now deal with so many organisations that they don’t know who holds what information about them. Three quarters (72 per cent) are not convinced that the benefits of having their information deleted are worth the bother of getting it removed – and 83 per cent don’t believe a company would honour the request anyway, even if the company assured them that it had.
The Data Protection reforms contain much that is important, essential even, to protect data, businesses and consumers in the new digital age. However, the reforms are controversial and the subject, therefore, of much lively debate. It is interesting to track the changes that are being introduced as the reforms pass from the European Commission to the European Parliament and now on to the European Council and the Member States. Article 17 is among those being amended. The more emotive references to a ‘right to be forgotten’ and ‘especially in relation to personal data made available by the subject while he or she was a child’ have been quietly dropped. A more pragmatic attitude towards personal data is emerging that seems to sit more comfortably with the way consumers feel today and the critical need businesses have to extract customer insight from information, in order to stay competitive.
So can companies relax about personal data and consumer fears? Not in the slightest. Consumers may have a growing understanding about the benefits of sharing data, but that does not negate a company’s responsibility to protect that data; nor does it address the serious issue of consumer mistrust. Brand loyalty is based on trust, and consumers need to believe that you will do what you say you will, or what they have asked you to do – and can prove it.
Companies are resisting the move because it could get complicated and costly, and they are worried they would no longer be free to mine or share data for business advantage without a complicated framework of permissions. If you add to that the fact that personal data is difficult to track down because it is generally distributed across electronic files and databases, social media platforms, telephone conversations and paper files, it then becomes clear that responding to an individual request will not be straightforward.
Nevertheless, the reforms are coming, and businesses will need to be ready. They need to know what they hold, where they hold it, and how to delete it when asked to do so – in a way that is transparent and accountable. This involves bringing data together into a single profile. For example, when it comes to paper, this will mean digitising all important paper documents so the data can be merged into a central electronic database and then securely archiving the rest.
Firms have much to gain from building consumer trust before the law obliges them to do so. Trust builds loyalty and loyalty drives sales. “We don’t believe you” is the last thing a business wants to hear from its customers.
Christian Toon, Head of Information Risk, Europe, Iron Mountain
About Iron Mountain:
Iron Mountain Incorporated (NYSE: IRM) is a leading provider of storage and information management solutions. The company’s real estate network of 67 million square feet across more than 1,000 facilities in 36 countries allows it to serve customers around the world. And its solutions for records management, data backup and recovery, document management and secure shredding help organisations to lower storage costs, comply with regulations, recover from disaster, and better use their information for business advantage. Founded in 1951, Iron Mountain stores and protects billions of information assets, including business documents, backup tapes, electronic files and medical data. Visit www.ironmountain.co.uk for more information.
[1]Flash Eurobarometer 359, attitudes on data protection and electronic identity in the European Union, June 2011
ii The research was conducted by OpinionMatters for Iron Mountain, February 2014. Opinion Matters surveyed 1,257 office workers who work in manufacturing & engineering, legal, financial, pharmaceutical or insurance from the UK, France, Germany, Netherlands and Spain. The research was carried out between 10/01/2014 and 22/01/2014.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.