A large number of financial services organisations, telecommunication providers, e-commerce firms, utilities, hotels and leisure services companies operating in the UK are still unable to honour data access requests from customers even though it has been twelve months since GDPR was implemented.
In January this year, a report from cloud data integration solutions provider Talend revealed that as many as 75 percent of organisations based in the UK were unable to fulfill an essential requirement under GDPR that mandated organisations to fulfill data access requests from their customers within 30 days of receiving such requests.
Talend noted that at that time, only 17 percent of organisations were able to honour data access requests from their customers within the mandated 30-day timeline, while 9 percent of them were honouring such requests but failing to do so either completely or within the required timeline.
Taking note of the fact that a majority of organisations were falling foul of GDPR by not honouring data access requests as per GDPR standards, the Information Commissioner's Office issued a warning in February, stating that failure to honour such requests within thirty days could expose organisations to criminal prosecution.
"The right to access your own personal information is a fundamental and long-standing principle of data protection law. New laws brought into effect last May strengthen those rights even further.
"Organisations not only have to respect this right but must also respect notices from the ICO enforcing the law. If they fail to do so then they must accept the consequences, which can include a criminal prosecution," said Mike Shaw, Criminal Enforcement Manager at the ICO.
A third of UK organisations failing to honour data access requests
Despite the ICO's warning, many large and medium-sized organisations are still failing to honour data access requests made by customers, even though such organisations are no longer in the majority. As per a new study conducted by Macro 4, a software division of UNICOM® Global, 33 percent of organisations across sectors such as financial services, e-commerce, hospitality, leisure services, telecommunications, and utilities are failing to honour data access requests.
Macro 4 noted that while some businesses are failing to honour requests from customers due to systems or process failures, some are unable to do so due to the inability of customer service agents in understanding what customers want. Information provided by businesses to customers included personal information about someone else within the data that was supplied and in some cases, the information supplied was difficult to access and incomprehensible when opened.
"The overall picture painted by the study is that even after a year, many businesses – including some major global brands – still do not have efficient systems in place to manage GDPR information requests from their customers,” said Lynda Kershaw of Macro 4.
"In many cases the customer service agents we spoke to did not immediately understand what they were being asked for, or how to respond. Nearly half of the businesses came back to the customer with multiple follow-up queries for more information or clarification before they could process the information request – and three organisations came back more than three times," she added.
Macro 4 also noted that out of 37 organisations surveyed, five took longer than thirty days to provide requested information to customers, eighteen businesses repeatedly contacted customers to verify what information customers were looking for, and fewer than half of them were able to make the personal information available electronically.
At the same time, customer service agents in only 14 out of 37 organisations knew exactly how to respond when customers called in to enquire about what data their organisation held about them. A vast majority of agents were unsure about how to respond to such queries and many of them provided inaccurate information on how long their organisations would take to honour data access requests.
"It really felt like some organisations were trying to make the request easier to handle by reducing the amount of data they would need to collate. But if you don’t know what personal information a company is holding on you, how can you be specific about what they should send you? One notable area where customers were expected to jump through hoops was voice recordings – sometimes they were asked to provide precise dates and times of calls, or who they spoke to, for example. In most cases that just isn’t practical," Kershaw added.