A year after the GDPR came into effect, a new study suggests many large UK businesses are struggling to process requests from customers who want to access the personal information stored about them.
The study, conducted by software firm Macro 4, evaluated primarily large financial services organisations, utilities and telcos and found around a third were found to be non-compliant, with five overshooting the time limit of one month that is specified by the regulation.
Other reasons for non-compliance included:
- Failing to remove personal information about someone else (not the customer) within the data that was supplied (so breaching another individual’s privacy)
- Providing information in an electronic format that was difficult to access and incomprehensible when opened (the ICO guidelines state that information responding to data subject access requests should be provided in a ‘commonly used electronic format’)
- Failing to complete the request at all, due to systems or process failures
- One organisation saying they would respond within 40 days – so giving themselves more time than is stipulated by the GDPR for turning around requests
“The overall picture painted by the study is that even after a year, many businesses – including some major global brands – still do not have efficient systems in place to manage GDPR information requests from their customers,” said Lynda Kershaw of Macro 4, a software division of UNICOM® Global, which conducted the study. “In many cases the customer service agents we spoke to did not immediately understand what they were being asked for, or how to respond. Nearly half of the businesses came back to the customer with multiple follow-up queries for more information or clarification before they could process the information request – and three organizations came back more than three times.”
Macro 4, which provides IT solutions to support GDPR compliance, evaluated how 37 businesses that operate in the UK responded to data subject access requests (DSARs) made during April 2019. The sample consisted of financial services companies (17), utilities and telecommunications providers (7) and smaller numbers from a variety of other sectors (including well known ecommerce businesses, loyalty card providers, hotels and leisure services companies).
Nearly a third of businesses are non-compliant
Of the 12 organizations that were not fully compliant in responding to the data subject access requests, five took longer than the permitted one calendar month to send the personal information. One said they would respond within 40 days – so giving themselves more time than is stipulated by the GDPR.
Two businesses included personal information about another individual (in one case the email address, national insurance number and mobile phone number of the customer’s partner), so breaching that person’s right to privacy. Three came back with very scant, incomplete information in response to the request; one supplied information in an electronic format that is not commonly used (a JSON file) and which was incomprehensible once the customer finally managed to open it; and another provided rows and rows of text which were impossible to make sense of.
Customer facing staff still in the dark
In fewer than half (14) of the cases did the customer service agent know exactly how to respond when a customer asked to make ‘a data subject access request to find out what personal data you’re holding about me’. For 22 of the contacts that were made, the agent was unsure how to deal with a data subject access request and needed to check with a colleague or look it up on their system. One agent appeared knowledgeable at the time but the request was subsequently lost from the system.
A related issue was a lack of knowledge about how long a request would take to process. A number of frontline staff were overly optimistic about this. Several quoted a few days to a couple of weeks, whereas follow-up correspondence invariably stated a longer turnaround time (or it just did take longer than promised).
Repeated call-backs and follow-ups required
Around half (18) of the businesses in the sample did not initially capture all the information needed from the customer in order to process the request in one go. They made contact with the customer again by phone, email or letter to request additional information or verification not mentioned on the first call. Eight businesses had to make one such follow-up, six made two, and one made three follow-ups. Three organizations had to follow up more than three times.
Businesses trying to limit the scope of the information request
Around 40 per cent of the businesses (15) asked customers to specify exactly what personal information was required (rather than sending all personal information they hold about the individual). Some organizations asked for this type of clarification multiple times.
“It really felt like some organizations were trying to make the request easier to handle by reducing the amount of data they would need to collate,” said Kershaw. “But if you don’t know what personal information a company is holding on you, how can you be specific about what they should send you? One notable area where customers were expected to jump through hoops was voice recordings – sometimes they were asked to provide precise dates and times of calls, or who they spoke to, for example. In most cases that just isn’t practical.”
Information supplied in a range of formats
Fewer than half (15) of the businesses in the sample said they could make the personal information available electronically, despite the GDPR advising that ‘where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data’.
The information that was supplied electronically was delivered in a range of formats and included screenshots of CRM and transactional systems, PDFs, Microsoft Word documents and Excel spreadsheets. Call recordings were supplied as WAV files, and sometimes on CDs. Often the information was password protected and sent via a temporary link.
The information supplied, both on paper and electronically, was variable in quantity and quality. In some cases an explanation of the purposes of the data processing was included, together with the meanings of abbreviations and system codes, but in other cases the information was in a raw format that was unintelligible to the customer.