Internet giant Google often finds itself under fire for the way it manages users’ personal details, with the list of countries investigating its alleged privacy intrusions in the past two years running to India, Italy, Australia, the US, Japan and many more. In different parts of the world, privacy concerns over Google ― only matched by those associated with Facebook’s policies ― have given rise to calls for formal legislation, and the European Union is likely to be the first to enshrine the so-called “right to be forgotten” in a legal directive to member states.

That has had Google back-peddling fast. Speaking at its “Big Tent” event on privacy law, Internet policy and freedom of speech in May, executive chairman Eric Schmidt declared the company was willing to grant individuals more control over their online personas and would respect new laws allowing users to amend or remove personal details that they share with it. “You should be able to delete the information that we know about you, at least that [which] we control,” he said.

This is broadly in line with recent pronouncements made by Viviane Reding, EU commissioner for Justice, Fundamental Rights and Citizenship. “People shall have the right ― and not [just] the possibility ― to withdraw their consent to data processing,” she told the European parliament in March. “The burden of proof should be on data controllers ― those who process your personal data ― rather than individuals having to prove that collecting their data is not necessary.” The first draft of this law is expected later this year.

For CIOs across Europe, as well as those whose organizations engage with EU citizens, the implications are far-reaching. The debate surrounding the “right to be forgotten” focuses almost exclusively on search engine companies and social networking sites. But what does it mean for other “data controllers,” and more specifically, mainstream commercial organizations that keep personal records relating to employees and customers?

In many ways, customers of such companies already have a “right to be forgotten,” says Liz Fitzsimons, a senior associate at international law firm Eversheds who specializes in data protection and freedom of information. The publicity surrounding the right to be forgotten, she says, simply emphasizes rights that already exist under the EU’s Data Protection Directive.

“One of the primary principles expressed here is that personal data cannot be retained for any longer than is reasonably necessary, bearing in mind the reasons it was collected in the first place,” she says. As a result, any business subject to EU laws should already have a records management policy in place that clearly outlines their data retention periods for different classes of data and their strategy for securely deleting that data once the relevant period has elapsed.

“Records management isn’t about an automatic, one-size-fits-all response to retention, but about taking a commonsense approach,” Fitzsimons says. “Ask yourself: Do I need to keep this data to comply with a particular law? Do I need it for risk management purposes? Why else might I need to keep it? If there’s no good reason, it should generally be deleted as soon as possible. That saves on storage costs and makes other information easier to find when needed.”

That last point is important, because under the various national implementations of the Data Protection Directive, individuals (or “data subjects”) can ask to see the information about themselves that a company holds on its computers and paper records, via a “subject access request.” They are then entitled to demand the amendment or deletion of inaccurate or irrelevant data ― giving them, in effect, a “right to be forgotten.”

However, there’s plenty of evidence that many companies continue to fall down here. In the UK, for example, it was recently revealed that official complaints citing data protection breaches at banks were running at almost 10 a week. Complaints centered mainly around the banks in question failing to provide accurate copies 
of the data they held on data subjects in a timely manner.

So while the “right to be forgotten” may already apply to some customers, exercising that right is often difficult and sometimes ineffective.