Major overhauls of data collection and removal programmes needed to address the ‘right to be forgotten’

Drowning in data

Organisations lack defined processes, documentation and technology to adequately address the ‘right to be forgotten’ and require major overhauls of their data collection and removal programmes to ensure compliance with the new EU General Data Protection Regulation (GDPR), according to a study by Blancco Technology Group.

Based on a survey of over 500 global IT professionals, the study found that 46% of respondents received customer requests to remove data in the last 12 months. However, 41% said they do not have defined processes, documentation and technology/tools for data removal, with 16% still needing to find the right data removal software, 9% uncertain of how and where to start, and 15% not even knowing if they are prepared.

“Because the EU GDPR negotiations stretched on for the last four years, many organisations held out hope that an agreement would be postponed, or if things went the way they hoped, the negotiating parties would never come to agreement,” said Pat Clawson, CEO of Blancco Technology Group. “But now that the EU GDPR is a reality and the new privacy rules will be ratified by the European Council in early 2016, many organisations have a considerable amount of work ahead of them to align their IT governance and data protection programs with both regulatory and customer demands.”

Lack of documentation, processes and tools increases the likelihood of GDPR violations. Of IT professionals surveyed, 60% stated that it would take their organisation up to 12 months to implement the necessary IT processes and tools to pass a ‘right to be forgotten’ audit, while 25% do not know how long it would take.

Clawson concluded: “If organisations want to be ready for GDPR compliance by 2018, they will need to assess their current weaknesses. Once they have done so, they will need to develop end-to-end data lifecycle management processes, create transparent processes and customer communications regarding their data removal methods/tools, and finally, improve their security posturing as a whole to include detection and response and the gathering and sharing of threat intelligence.”