New research from storage and information management company Iron Mountain suggests that consumers doubt whether the widely-publicised ‘right to be forgotten’ will work in practice. The European study found that the overwhelming majority (92 per cent) of consumers in the UK say they now deal with so many organisations, both online and offline, that they no longer know who holds what information about them.
At the heart of the EU’s proposed data and privacy protection reforms[1] is a belief that the protection of personal information is a fundamental right for all Europeans. Any organisation that fails to do its utmost to respect this right could face a fine of up to 2 per cent of its global turnover. Under the proposed changes to European law, consumers will be able to ask companies that hold information about them to remove it. However, close to three in four consumers (74 per cent) in the UK are not convinced that the benefits of having their information deleted would be worth the bother of asking for it to be removed, and 86 per cent don’t believe a company would honour the request anyway, even if the company assured them that their information had been deleted.
Furthermore, there is considerable confusion when it comes to the kind of information a person can ask to have removed. Most of those surveyed in the UK believe they would be entitled to ask for personal information (91 per cent), financial details (64 per cent) and email correspondence (54 per cent) to be deleted. However, less than half think their rights would extend to recorded telephone conversations (42 per cent) or social media posts (32 per cent).
Close to half (45 per cent) believe that information held on paper – such as letters or completed forms – would be covered by data protection laws, despite the fact that two thirds (64 per cent) of respondents feel information on paper is easier to destroy than information held about them online.
“Almost everything we do creates an information trail that can be collected, processed and possibly shared. Organisations that collect this information need to manage it carefully and protect it securely. The proposed EU data protection reforms are a good first step to better protecting consumers,” said Christian Toon, Head of Information Risk for Europe at Iron Mountain. “However, our research suggests that consumer attitudes have shifted since the EU reforms were first drawn up on the back of a wave of consumer data fears in 2011. While consumers today remain happy to conduct much of their business and social lives online, they no longer trust organisations to comply with a request to delete personal data. Organisations can help overcome this pessimism by educating consumers on their policies and procedures.”
“Whether you hold personal information on paper, online or in an electronic database, you need to know what you hold, where you hold it, and how to delete or destroy it securely when asked to do so ‒ and to do so in a way that is transparent and accountable. For many firms, the first step is to digitise important paper documents so the data can be merged into a central database. Then to archive historical or physical documents, securely destroying those records the company is no longer entitled to keep and establishing retention schedules to manage the archived information. Firms have much to gain from building trust before the law obliges them to do so. Trust builds loyalty and loyalty drives sales.”
Iron Mountain surveyed 1,257 adults in France, Germany, the Netherlands, Spain and the UK.
About Iron Mountain:
[1]The European Commission plans to unify data protection within the European Union (EU) with a single law, the General Data Protection Regulation (GDPR). The EU’s European Council aims for adoption in late 2014 and the regulation is presently planned to take effect after a transition period of 2 years.
Article 17: Personal data has to be deleted when the individual withdraws consent or the data is no longer necessary and there is no legitimate reason for an organization to keep it.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.