Data Protection: How The Right To Be Forgotten Ruling May Affect Your Business

8th July 2014 :: Author: Andrew Cope, Managing Director, Evergreen

Data Protection ManagementGoogle is hitting the headlines again over the EU ''Right To Be Forgotten' ruling on 14th May. So how may this new data protection ruling affect your business? What should you be doing?

Google has now started to remove links from its index so that if someone specifically searches on a particular name then some pages won't appear in searches. The original pages remain unchanged. The rule applies ''where the information is inaccurate, inadequate, irrelevant or excessive for the purposes of the data processing.''

The latest data protection ruling is a response to concerns that many web users have had over how much of their data is being used and stored. Even if you are not a 'data controller' like Google, the new data protection ruling has shaken up the subject of how data is handled and managed by organisations. With so much noise in the media regarding data protection issues and removal of data you may be contacted by customers wanting to know about the data you hold about them. It's time to refresh yourself about your data protection obligations and your customers' rights to access the data you hold about them.

Remember that you are accountable under the 1998 Data Protection Act to keep secure any data that you hold for staff administration or marketing purposes.

1) Your Standard Data Protection Obligations

Data you hold should be:

  • Fairly and lawfully processed.

  • Accurate and current.

  • Not kept for longer than necessary.

  • Processed in line with the person's statutory rights.

  • Kept secure.

  • Not transferred to other countries without adequate protection.

If your data is held in different business systems, whether manually or online you should consider centralising your data control to avoid duplications and errors. A business system software specialist can create a customised Customer Relationship Management (CRM) system for you or even build a web application to integrate different database systems together.

2) Subject Access Requests

Everyone has a right to get a copy of the information that is held about them. In official terms, this is known as a 'subject access request'. Requests should be made to your organisation in writing, giving full name, address and contact telephone number and any account or reference number. Details about the specific information required rather than a blanket request for 'all information held' should be given. Your organisation should respond to a 'subject access request' within 40 days and you can charge a fee of up to £10 (up to £50 for certain health and education records.)

The Information Commissioner's Office has produced a check list for organisations to guide you through a subject access request.

3) Social Media

The current ruling only affects search engines but over time, rulings may well extend to removal of links posted by Twitter, Facebook and other social media platforms. So watch this space!