Data & Privacy Exposures are not limited to security breaches
The Right to be Forgotten isn't just a Google issue
When considering data protection, data losses tend to spring to mind. However, this year, the risks of holding data for too long have been at the fore.
The recently publicised "right to be forgotten
" case saw the European Court of Justice rule that Google Spain was a data controller
due to its capacity to find, index, store and make information available to the public on its website.
The European Court of Justice (ECJ) ruled that search engines must remove web links from search results when requested to do so if the information collated is deemed to be out of date, no longer relevant, or excessive.
At the time of writing, it is estimated that over 91,000 "forget-me" requests covering a total of 328,000 links have been submitted since Google launched the service. Google is no longer alone - Microsoft
has now confirmed that it is implementing its own form for Bing, leaving Yahoo as the only major operator without a means of requesting removal.
The Google decision, combined with heightened public awareness over excessive data collection in light of the NSA scandal, means that data controllers need to be extra vigilant over the data they maintain – what it is, why it is retained, how it is stored and, importantly, for how long? It is a legal obligation independent of keeping data secure yet one that carries risks that must be considered by any organisation that controls personal data.
Hans Allnut & Helen Nuttall 24 July 14
You might also like ...
June 2014 update
Catch up with the latest cyber risk legislation and regulatory developments with the DAC Beachcroft Adviser Newsletter
As the implementation of the European Data Protection Regulation drops further behind schedule, one could be forgiven for thinking that all is quiet on the cyber risk insurance front.