From 25th May 2018, EU Citizens will have the right to tell companies to erase their personal data and it has to be deleted. This is the so-called “right to be forgotten” and it will empower people to have past mistakes and problems removed whether they were a customer or employee.
At least this is the perception that’s growing up in some quarters. The reality is more nuanced and it has the potential to create headaches for individuals and firms alike. Far from a blanket deletion of a person’s data, firms can and should retain it long after the request has been made. The challenge will be balancing the public perception of what the right to be forgotten does, and what it actually achieves.
The right to be forgotten
Over the past few years, Google and others have been required to remove certain results from their searches. People with spent convictions, who have made missteps in their lives or who just want to forget a part of their past have been able to compel the search engines to suppress results that include them. This is the origin of the so-called “right to be forgotten” and it’s a term that’s been carried along to the new General Data Protection Regulations (or GDPR as they are known).
Within GDPR there isn’t a blanket right to be forgotten. There is, however, a “right to erasure” and it’s this that’s attracted attention.
This right allows an EU Citizen to have their personal data erased when there’s no compelling reason for it to be retained. Someone who is still an employee or customer, for example, would not be able to have their data erased, but a former customer from a few years ago would.
So a request comes and we delete everything. Right?
While a lot of people have become quite animated about this right, the reality is it doesn’t vary hugely from current Data Protection regulation. People can object to our holding their personal data right now and if we’ve no good reason to keep it we shouldn’t.
There are legitimate reasons to retain data after a request has been made. Maintaining records for accounting purposes or to defend potential legal claims could see data being held for years after the request has been made. We could even retain data for statistical research, vital for firms using deep machine learning.
Here comes the challenge
The problem then becomes one of communication. When someone requests erasure they may well expect a reply that confirms everything’s been done and the firm has no more data held about them. To do this would be misleading. Should the firm mistakenly process their data later, have it stolen, or be subject to some legal action that requires them to expose it, that person is potentially going to feel betrayed. The technicalities of rights under a piece of EU Regulation will matter for little should a brand damaging social media storm explode.
We therefore need to ensure people are aware of the subtleties of what’s happening to their data. Of course, we will no longer send them email newsletters or allow them to use their login details, but they have to be aware we’ll keep their financial records for at least 7 years and everything else for 3 or more. We should also make it clear we could use their data for research and statistical analysis.
GDPR is more than a technical solution
Many of the discussions I’ve had around the right to be forgotten have focused on the technical aspects of handling a request. Questions about archiving techniques, suppression flags and data cleansing have been raised, to which the usual answer is “What are you doing now?” (occasionally the reply is a worrying, “We’re supposed to be doing something?”) Rarely has the question turned to the person’s experience.
Just as we should be designing the end of the relationship to protect and even enhance our brand, so we should be applying the same approach to this part of the experience. Leaving it as a purely technical exercise is to be avoided, particularly given the potential for confusion and complaint.
Is it really a “right to be forgotten”?
Much of what’s required of our businesses from the “right to be forgotten” are things that we should already be doing. We shouldn’t be processing data we have no good reason to, nor holding it when we don’t have a need to use it. What’s happened is GDPR has given a person the right to explicitly have us remove personal data we probably shouldn’t have been keeping anyway.
The fact it’s being labelled in some circles as a “right to be forgotten” is going to cause some problems. There will be complaints to regulators, press and on social media when individuals discover their data hasn’t been deleted because there are valid reasons for it not to be.
In my view, we shouldn’t be tackling this only as a technical problem with some light touch documentation. We should be applying some experience design to ensure the request is simple to complete, the effects clearly set out and a clear and unambiguous confirmation what’s happened is communicated. If this is done with the same rigour we apply to other aspects of the experience we should see fewer complaints coming through our business, across the regulator’s desk and on social media.