As many as three in four organisations in the UK are at present unable to fulfill an essential requirement under GDPR that mandates organisations to fulfill data access requests from their customers within 30 days of receiving such requests.
According to a report from cloud data integration solutions provider Talend, only 17 percent of organisations are at present able to honour data access requests from their customers within the mandated 30-day timeline, while 9 percent of them are honouring such requests but failing to do so either completely or within the required timeline.
Failure to honour access requests may attract fines under GDPR
The remaining 74 percent of UK-based organisations have been unable to adhere to this particular requirement of GDPR, even though over six months have passed since the new data protection law came into effect in Europe.
"A delay, or complete lack of a response, will only continue to damage free-falling consumer trust in how organisations store and organise their data. What’s more, the world is on tenterhooks waiting for the first major fine to be enforced for a breach of the GDPR," said Jean-Michel Franco, Senior Director of Data Governance Products at Talend.
"After all, consumers are now feeling more empowered to put companies and regulators under pressure to ensure that their rights are respected, whether through individual complaints or group action, as we’ve seen recently with a huge spike in reports to the ICO (up by 160 per cent) and class action by 45,000 European citizens driven by three associations including Privacy International," he added.
According to Yves le Roux CISSP, Paul Lanois SSCP, Visia Tartaglione CISSP and Eric Tierling CISSP who are members of the (ISC)2 EMEA Advisory Council GDPR Task Force, GDPR places a premium on the consumer expectations of data privacy and significantly extends the scope of individual rights regarding their personal data.
The “right of access” and access requests made by individuals for the correction or erasure of the personal data held or processed by an organisation have emerged to be one of the most challenging areas to address, especially so when organisations have widely admitted that they are unaware of the nature and value of up to 70% of the data they previously collected.
Essential checklist for firms to comply with such requests
The Task Force recommends that organisations must establish a data governance regime as the same will provide a basis for them to immediately demonstrate their commitment to comply with both their in-country Data Protection Authority (DPA) and the individuals that may exercise their rights. Following are their recommendations:
- Enhance transparency: The first principle that the regulation aims to establish is the transparency of the processing. It should be clear to individuals to what extent their personal data is used. This should be expressed in easily accessible and easy to understand communications. Don’t wait for an individual to make a request. Regular, proactive communication supports strong customer relationships, supported by accountable policies, preventing the motivation to resort to a formal request.
- Acknowledge the request: Be ready with a customer service communication that acknowledges the receipt of a request and outlines the steps your organisation will be taking to respond within 30-days. Be specific: point out that the request will be assessed, and that your organisation will be in touch within a specified time frame to either clarify the request or respond to it.
- Clarify customer expectation: Don’t assume every customer is looking to have you provide them with anything that could be considered personal data under the letter of the legislation. Contact them, learn the motivation for the request and respond to this. It could be that invoking a customer service or complaint procedure would be the more appropriate response.
- Ensure the legitimacy of the request: Set criteria for referring requests for legal assessment. You can ask the person who is submitting the request to make their case for it. There could also be overriding regulations in certain specific situations and customer obligations.
- Document policy for search criteria: Data mapping enhances the record of processing activities and will provide an overview of the data flows within, to and from an organisation. Even if all relevant data isn’t caught, you will be able to demonstrate that you have made a reasonable effort to capture as much as possible.
- Anticipate spikes: Well-known brands expect a flood of first requests as the legislation comes into effect and customers seek to test it. Previous experience when the European Court of Justice upheld a case for an applicant to have a news item removed from search engine motivated many similar requests in the aftermath.
- Automate and maintain: Once inventories are documented, criteria set, and processes defined, you can look to develop tools or automate processes. The business case will dictate the validity of such an investment, and processes will have to be reviewed regularly as they will have to change as the business changes, and improve with experience.
ALSO READ: Data subject rights under GDPR: What we know, don’t know, and must do