GDPR: What to do when customers demand access to personal data

While many of the headlines about the General Data Protection Regulation (GDPR) focus on the large fines that organisations could face in the event of security breaches, another big concern are so called data subject access requests. If your organisation is holding personal information about individuals then those people have the right to request access to all the data you have on them - and you must aim to process all requests free of charge within 30 days.

Is your business geared up to cope with that? It probably depends on how much data you are holding, how many requests you have to process and the systems you have in place to identify and collate personal information.    

Macro 4 conducted a poll of 1,000 UK consumers to understand their views on data privacy ahead of the GDPR taking effect. It included asking people what would prompt them to make a data access request. These are their answers. 

A suspicion that information is held without consent   

Perhaps not surprisingly, the most common circumstance in which people felt they would make a request was if they suspected that an organisation was holding information without their consent: 52 per cent gave this as a reason.   

If your organisation wants to continue holding people’s personal information, then transparency is going to be essential. It is important that you are able to reassure customers by responding swiftly to data access requests and you must also make it easy for them to have their information deleted from your records (this is also a requirement of the GDPR).    

Curiosity 

Next, 39 per cent of the survey sample said they would consider requesting access to their data just because they are curious to see what information companies are holding about them. It is human nature for people’s curiosity to be piqued, and this is even more likely to happen if, as expected, there is widespread publicity about the additional rights being given to consumers when the new regulation goes live.   

The temptation of compensation pay-outs 

26 per cent of consumers said they would make a request if there was a chance of compensation – which is possible if the rules were not being followed or their privacy was being breached, for example. Some experts believe GDPR compensation activity might follow in the footsteps of Payment Protection Insurance (PPI) litigation, with potentially hundreds or thousands of individuals being brought together by law firms to mount ‘no-win, no-fee’ class actions against organisations who have not adhered to the regulation. Some predict that fines demanded by GDPR regulators – although huge in their own right – will be dwarfed by these compensation pay-outs. 

Revenge 

The public recognises that processing data access requests is an administrative task that imposes a cost, however large or small. That is why nearly one in 5 people (17 per cent) said they would consider using a data request in order to ‘get back’ at companies who had given them a negative experience.    

Over 90% of UK consumers are interested in accessing their personal information 

The research indicates that we can probably expect a high number of requests from people wanting access to their data – especially as 42% of the sample said they find it difficult to keep track of personal information they have consented to organisations collecting. Of the UK consumers surveyed, just seven per cent would not be interested in seeing the personal information companies are holding about them.   

What constitutes personal information? 

One of the major challenges connected with data access requests is the breadth of material that now constitutes personal information. It could be absolutely anything that is identifiable to an individual: from contact details, date of birth and credit card numbers, to the content of emails and social media conversations, letters, bills and policy documents.   

Difficulties managing unstructured information 

Usually only a small proportion of personal data is located within databases, where it is relatively easy to control. The vast majority is spread around organisations in a wide range of unstructured formats – including documents, voice recordings, chat logs, texts and emails. These are stored in diverse locations controlled by separate business departments and therefore cannot be pulled together easily.   

In order to process data access requests efficiently you need to create a centralised system that lets you identify and categorise information related to individuals. This will help you manage and access information easily, applying criteria such as data owner, sensitivity level, and so on.   

Online behaviour tracking 

Another related issue is online behavioural tracking information (such as the ads people click, the sites they visit and the products they buy). This is now defined as personal data if the individuals concerned can be identified (for example using Cookies or IP addresses). You should expect to field customers’ questions about this data and how you are using it: especially as 62 per cent of the survey sample said they were in favour of stricter rules in this area.    

Making data shareable and portable    

Whatever system you use to satisfy data access requests, it has to be able to bring together all of the diverse information you hold on customers and transform it into commonly used, shareable formats, such as CSV or XML, so that it is easy to read and understand. Supporting these open formats is also important in case you are asked by a customer to transfer their information to another service provider – and making data portable in this way is another requirement of the GDPR. 

Information lifecycle management  

Ideally you should be able to set data retention policies to manage information from cradle to grave. This means having the ability to define rules so that data is erased either automatically or on request when there is no longer a legitimate purpose for keeping it. This is important in order to conform to the GDPR requirement for data minimisation: limiting the amount of personal data collected, stored and used to the absolute minimum required. Also important is being able to monitor and report on all activities related to the data, such as access, erasure and distribution to third parties. 

Dealing with legacy  

Legacy systems or older content storage systems pose another challenge for data access requests and for the GDPR generally. Sometimes these systems, even if they are not actively used, are kept running because they hold important historical data, including customer information. However, they often do not provide the security, flexibility or accountability required to support compliance.

You will need to find a way to extract the data you need from these problem systems and maintain access to it in an accessible format within a compliant environment.   

An opportunity to build greater trust 

If your organisation holds the personal information of EU residents, you need to get ready for processing a potentially large number of data access requests as part of your GDPR compliance strategy. That requires putting effective systems in place to identify, collate and make the data available to individuals upon request in an accessible way.   

The better you are at fulfilling this obligation, and the more open you are about how you are using personal information, the greater the trust you will generate among customers, and that could directly impact sales: in Macro 4’s survey, 42% of UK consumers said they would be more likely to use a company that made it easier for them to understand what personal information it was holding about them and how it is used. So it appears that how well you embrace the GDPR could become an important competitive differentiator in the months and years ahead.      

Lynda Kershaw, Marketing Manager at Macro 4 

Image Credit: Alexskopje / Shutterstock