The results of a survey by Talend show that 58% of businesses worldwide fail to address requests from individuals for a copy of their personal data within the one-month time limit as required by GDPR.
Bad, But Better Than Last Year
The survey, which involved 103 GDPR-relevant companies across the globe (84% of which were EU-based companies) revealed that more than 18 months after the General Data Protection Regulation (GDPR) came into force, most companies are still not complying with the Regulation when it comes to data requests.
Even though a 58% failure to comply rate is not good, it is an improvement in 2018 when 70% of the companies surveyed reported they had failed to provide an individual’s data within one month.
Public Sector, Media & Telecoms Worst Offenders
The Talend survey revealed that only 29% of public sector organisations and only 32% of companies in the media and telecommunications industries were able to respond with the correct data within the one-month limit, putting them at the bottom of the compliance table for this issue.
Average Performers
The survey also showed that companies in the retail (46%), financial services, travel, transport, and hospitality sectors barely achieved an average response rate within the one-month limit. This, however, was a small improvement on the previous year.
Why?
According to Talend, the lack of a consolidated view of data and clear internal ownership over pieces of data, and a lack of automation in processing requests are key reasons why companies are failing to respond to data requests within the legal time limit.
In some industry sectors too (e.g. financial services), retrieval of the information may be complicated by clients perhaps having many different contracts with the same company with their data being spread across different offices and systems. This, coupled with the fact that processing data requests is often manual, time-consuming, and, therefore, costly (“spend, on average, more than $1,400 to answer a single SRR” – Gartner) goes some way to explaining the slow response. (SRR means subject rights request)
Also, there is a lack of proper ID checks by companies where data requests are concerned with only 20% asking for ID, and there have also been reports of companies struggling to find the right email address to send the data requested to.
What Does This Mean For Your Business?
With GDPR becoming law 18 months ago, the potential fines for non-compliance being large, and with companies and organisations having appointed specific people to be in charge of data management and security, these results do look a little disappointing on the surface, and many businesses would expect to do better. However, GDPR has brought a much larger volume of data requests for some organisations and back in June it was even reported by law firm Squire Patton Boggs that one year on from the introduction of GDPR, companies were facing cost pressures from a large number of subject access requests (SARs) coming from their own employees.
Nevertheless, the shift in responsibility towards companies that GDPR has brought, and the widespread knowledge about GDPR is a reminder also, that companies really should have a system and clear policies and procedures in place that enables them to respond quickly and in a compliant way to data requests, whoever they are from.