The General Data Protection Regulation (GDPR) was meant to be a wake-up call. The time had finally come for big corporations to take data privacy seriously. Unfortunately, however, evidence suggests many organisations are still getting it badly wrong.
Research conducted by Macro 4 a year after the regulation came into effect suggests that some of the biggest global brands are not only failing to grasp the GDPR as an opportunity to build greater consumer trust. They are also quite spectacularly failing to comply with its most basic requirements.
Study reveals systemic GDPR failures
The study analysed the ability of 37 UK-based enterprises to handle customer requests to access their personal data, and found that nearly a third did not comply with the rules set out in the GDPR. There were other cases where companies followed the letter of the law but did not honour the spirit of the GDPR, either because the process of obtaining customer data was very onerous, or because the personal information was not provided in a way that would make much sense to anyone outside the organisation.
Household names in the frame
Of the 37 enterprises contacted, 17 were large financial services companies, while seven were household-name utilities and telecommunications providers. The rest were from a variety of sectors, including high-profile ecommerce businesses, loyalty card providers, hotels and leisure services companies.
New data access rights for consumers
The GDPR gives EU citizens the right to access, free of charge, all of the personal data an organisation holds about them. This is known formally as a data subject access request or DSAR. The organisation has up to one month from the date the DSAR was received to locate the data and fulfil the request.
While the regulation came into effect a little over a year ago on 25th May, 2018, organisations have had several years to get the right systems and processes in place to handle DSARs (the GDPR was approved by the European parliament back in 2016). In fact, customers have had the right to access their data for much longer, albeit at a cost and without the tight timescales and threat of hefty fines imposed by the GDPR. However, our research reveals that even well-known brands are still experiencing compliance problems.
Six major issues highlighted by the research
The study highlights six ways that enterprises are falling down in their handling of DSARs, and provides some useful qualitative feedback on what they need to work on.
1) Failure to meet the DSAR deadline
Five companies in the sample were non-compliant because they missed the one-month DSAR deadline. Judging by the responses we received from the companies in the study, it appeared that a variety of problems had contributed to this, from inefficiencies and lack of staff awareness and training in the front office, to inadequate back office systems to process the requests.
The struggles in the back office were highlighted by that fact that several organisations repeatedly asked us if we could be more specific about the personal information they should supply as part of the DSAR. Some asked for this type of clarification multiple times.
It felt as though some organisations were trying to make the request easier to handle by reducing the amount of data they would need to collate. The problem is: how can a customer say specifically what information they want to access if they don’t know what information about them the organisation is holding in the first place?
It became clear that pulling together certain types of information was a particular problem, especially so in the case of voice recordings. Some companies suggested that it would take ‘much longer’ to process requests if they had to trawl through call recordings, for example.
Proper use of metadata (‘information about information’) makes it easier to classify information so that it is easier to retrieve later on. The research findings suggest that organisations need to get better at attaching suitable metadata to all the different content types that could contain personal data (such as video, emails, call recordings, and so on). Labelling the data appropriately in this way is also an important part of good information governance – how can you manage information properly if you don’t really know what you have?
2) Front office staff uncertainty
At over half of the organisations contacted, the first person who dealt with the request – usually a call centre agent – was unsure what they were being asked about, or not clear about the right steps to follow to process an information request. Many agents had to put us on hold, check with colleagues or look on their IT system.
In addition to the obvious problem of wasting valuable call centre (and customer!) time, this initial lack of understanding contributed to the overall inefficiency.
It meant, for example, that for around half (18) of the organisations contacted, the call handler failed to capture all the information needed from the customer to allow the request to be processed in one go.
As a consequence, the organisation had to make contact again – by phone, email or letter – to request additional information or to obtain verification that was not mentioned on the first call. Eight businesses had to make one follow-up, six made two, and three organisations had to follow up a staggering three or more times.
On top of this, some of the answers given by call centre staff were inaccurate and misleading. Several committed to a faster turnaround time than the back office could actually support, for instance.
As well as providing customer facing staff with better training and education about DSARs, there needs to be a more joined-up process between the front and back office. Ensuring the call centre agent gathers all the required information at the first point of contact, could help save valuable time, as well as sparing the customer from having to take repeated follow-up calls or emails.
3) Systems and process failures
Three of the organisations contacted in the study were non-compliant due to providing only scant, incomplete information. Two failed to complete the request at all as they encountered systems or process failures.
This raises the question of how businesses are managing personal information. Typically only a small proportion of personal data will be located within databases, where it is relatively easy to control. The vast majority will be scattered around the organisation in unstructured formats, including documents, chat logs, texts, and emails. This content often resides in several different systems, controlled by separate business departments, making it difficult to pull together.
Ideally, in order to process DSARs efficiently, organisations should use a centralised information store, such as an enterprise content management system, to bring together all customer information from wherever it is held, and classify it based on a range of criteria, such as name, date, personal content and sensitivity level. The sensitivity level is important because certain types of sensitive personal data, such as health information, carry additional restrictions under the GDPR.
Rigorous data classification is not just useful for locating and extracting personal information to streamline the handling of DSARs. It can also be used to identify and delete information in order to support the ‘right to erasure’ (commonly known as ‘the right to be forgotten’), as well as for applying the principle of data minimisation. Both of these are also key requirements of the GDPR.
Data minimisation is about only retaining personal information for as long as is strictly necessary. Automated procedures can be applied to regularly delete information meeting certain classification criteria – such as customer status or how old the information is – once it is no longer strictly needed or there is no legal requirement to store it.
4) Variable quality of information
The personal information supplied by organisations in the study, whether on paper or electronically, varied greatly in terms of quantity and quality. While some information, such as statements, reports and correspondence, was self-explanatory, other material was much more difficult to understand.
Several organisations supplied screenshots from internal business applications with no labels to explain what abbreviations or system codes referred to, for example. One sent a data file with pages and pages of text which was not easy to read or understand. This falls foul of the guidelines from the Information Commissioner’s Office which say that information should be provided ‘in a concise, transparent, intelligible and easily accessible form, using clear and plain language’.
At the same time, people don’t just want to know what information is being stored, but why and how it is being processed.
Organisations are required to explain the context in which personal information is used, in a clear and unambiguous way, and this was not always the case. While general information about how customers’ data is used may be available in a company’s privacy statement, the real value from a DSAR comes from taking the opportunity to explain the ‘purposes of processing’ personal data in a way that makes sense to the customer, and avoids the need to read through pages of ‘legalese’.
If companies are providing personal data but not making it clear and easy to understand the context in which it is used, they may technically be complying with the regulation, but are they really meeting the GDPR requirement for transparency?
5) Inability to provide electronic access
Fewer than half (15) of the sample said they could make the personal information available electronically. This was despite the GDPR advising that ‘where possible, the controller [the organisation handling customer data] should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data’.
The Information Commissioner’s Office guidelines state that information responding to data subject access requests should be provided in a ‘commonly used electronic format’. However, one of the businesses in the sample supplied information in a JSON file. Not only is this an electronic format not commonly used by consumers, but the information was incomprehensible once it was finally opened by the customer.
Whatever system you use to satisfy GDPR data access requests, it should be able to bring together all of the diverse information you hold on customers and transform it into commonly used, shareable formats, such as CSV or PDF. Using shareable formats is also important in case you are asked by a customer to transfer their information to another service provider; making data portable in this way is another requirement of the GDPR.
6) Infringing on the data privacy of other customers
Two businesses in the study made the mistake of including personal information about another individual when responding to DSARs. In one case, for example, the email address, national insurance number and mobile phone number of the customer’s partner were included, so breaching that person’s right to privacy.
The systems that organisations use to collate and manage customer information should allow personal data to be identified and controlled at a granular level in order to avoid this type of slip-up. Processes can be put in place to automatically redact information relating to other individuals, such as the names of employees or other customers mentioned in documents (for example in the case of joint mortgage applications), rather than relying on staff to sift through data and redact it manually.
Being able to process DSARs is a basic requirement of the GDPR. How you handle them will inevitably be taken by customers as an indication of how serious you are about managing their personal data in a responsible manner. The more open, transparent and accurate you can be, the greater the trust they will have that you are doing things in the right way.
Lynda Kershaw, Marketing Manager, Macro 4