General Data Protection Regulation (GDPR) is structured to rebuild trust in the data management system making it more transparent and responsible for personal data in terms of what they do with it and how to protect it.
A recent study conducted by Macro 4 sheds light on the problems faced by companies in the way data subject access requests are handled. This is a necessary consumer right enshrined in the GDPR – which threatens to damage consumer trust.
Under the terms of the GDPR, consumers have the right to how organizations are using their personal data through the Data Subject Access Request (DSAR). It also mandates that companies must supply this information for free, within one calendar month.
Macro 4 evaluated the effectiveness of DSARs by sampling 37 UK enterprises across industries. The research discovered six ways in which companies fail to meet the requirements of the GDPR, delivering a level of service below expectations.
1) Companies fail to meet DSAR deadlines
Around 40% of organizations in the sample were not completely compliant with GDPR rules for handling DSARs, with 14% took longer than the permitted one month to supply the personal data requested. Breaking deadlines agreed with the customer is unacceptable, even more, when it results in regulatory non-compliance. Customers need to understand what rules an organization should be worried about.
2) The customer-facing staff remains unsure about handling information requests
In almost sixty percent of the companies contacted, the first point of customer contact was not clear about the right process to follow to handle for the response to a DSAR. Lack of knowledge about the process led to agents being overly optimistic about the time is taken to turn around information requests. Approximately 16% did not even know how long it would take. Follow-up correspondence invariably stated a long time taken, typically the one-month legal maximum, taking longer time than the agent promised.
3) Repeated call-backs and follow-ups required
The survey also highlighted the fundamental process inefficiencies leading to repeated call-backs from customers. In around 50% of the firms surveyed, the agents failed to capture the information needed to process the request in a single interaction, efficiently. The companies required to re-contact the customer – by phone, post, or e-mail – to request additional data or verification that was missed on the first call.
4) Personal data shared in error
Two businesses in the study made the error of including personal data about another individual when responding to the information requests. In the case of the email address, contact number, social security, details of the customer’s partner were included.
Sharing some other person’s data is a clear breach of the individual’s privacy and a severe GDPR compliance failure issue. For customers concerned about how their personal data is processed, this sends all the wrong messages, questioning how serious the company is regarding data protection.
The systems used by organizations to manage customer information and respond to DSARs must allow personal data to be controlled and identified at a granular level to avoid similar mistakes.
5) Personal data supplied is difficult for customers to comprehend
The guidelines published from the UK Information Commissioner’s Office suggests that when organizations respond to a DSAR, the information provided should be transparent, concise, intelligible and easily accessible form, written in clear and understandable language.
The study categorized personal information supplied by organizations, to understand the variation in terms of quantity and quality. While some information, such as reports, statements, and correspondence, were self-explanatory, other data was much more challenging to comprehend. Five organizations supplied screenshots with a limited explanation of what abbreviations or system codes referred to; while one provided screenshots with information redacted. One of the customers was sent a data file with pages of text strings which were utterly incomprehensible.
6) Organizations try to limit the scope of the information request
Nearly half of the businesses in the study asked the customer about the possibility of more specific personal information they wanted to see. The researchers felt pressurized, so they were trying to minimize the workload by cutting down the data they had to provide. The question is to check whether it is reasonable to expect customers to specify what information they want?
Macro 4’s study concluded that multiple organizations, including major brands, still have a long way to go before they are confident to be fully compliant with DSARS.