The General Data Protection Regulation (GDPR) was supposed to rebuild trust in the way businesses manage our personal data. That is because the regulation forces organizations to be more open and transparent about what personal data they gather, what they do with it and how they protect it.
However, in some respects the GDPR is having the opposite effect. A recent study conducted by Macro 4 reveals problems in the way companies are handling data subject access requests – an important consumer right enshrined in the GDPR – which threaten to damage consumer trust.
Under the terms of the GDPR, consumers can ask to see all personal data that an organization holds on them. This is known as a data subject access request (DSAR) and companies must supply this information free of charge, within one calendar month.
Macro 4’s study evaluated how effectively DSARs are being handled by a sample of 37 UK enterprises, including large financial services companies, utility companies and telecommunications providers.The results were surprising.You would expect large, household-name brands to have adequate systems in place to handle customer requests, and to be diligent in meeting their compliance obligations. However, the research uncovered six ways in which companies are failing to meet the requirements of the GDPR and are delivering a level of service that is well below expectations.
1) Companies are failing to meet DSAR deadlines
Around a third of organizations in the sample were not fully compliant with GDPR rules for handling DSARs, and 14 per cent took longer than the permitted one calendar month to supply the personal information requested. One company indicated that they would respond within 40 days, giving themselves more time than is allowed by the GDPR.
Breaking a deadline agreed with the customer is a cardinal sin, even more so when it results in regulatory non-compliance. Customers might well start asking themselves, “What other rules is this organization breaking that I should be worried about?”
2) Customer facing staff are unsure of how to handle information requests
In 59 per cent of the companies our researchers contacted, the first person who dealt with the customer – usually a call center agent – was not clear about the correct process to follow in order to handle a DSAR (and in some cases was even unsure what an information request actually is). Agents had to put the customer on hold, check with colleagues or consult their systems to find out what to do.
A lack of knowledge of the process led to agents being overly optimistic about how long it would take to turn around information requests. Around 16 per cent did not know how long it would take; 14 per cent quoted two working days or less; and 11 per cent cited a turnaround time of between five and 15 working days. Follow-up correspondence invariably stated a longer time – typically the one month legal maximum – or in practice the whole process just took longer than promised by the agent.
All in all, the customer experience was frustrating, with nearly one out of five calls lasting longer than 15 minutes (and one online chat conversation extending over two days), and mixed messages about timescales leading to confusion and ultimately disappointment.
3) Repeated customer call-backs and follow-ups are required
The survey also highlighted basic process inefficiencies which led to repeated customer call-backs.
In around half of the firms surveyed the agent failed to capture all the information needed from the customer to process the request in a single interaction. These companies needed to contact the customer again – by phone, email or post – to request additional information or verification that was not mentioned on the first call.
Eight businesses had to make one such follow-up, six made two, and one made three follow-ups. Three organizations had to follow up more than three times.
4) Personal data belonging to other customers is being shared in error
Two businesses in the study made the mistake of including personal information about another individual when responding to information requests. In one case the email address, social security details and mobile phone number of the customer’s partner were included.
Sharing another person’s data is a clear breach of that individual’s privacy and a serious GDPR compliance failure. For customers concerned about how their own data is being handled (which, by definition, anybody making a data subject access request would be) this sends all the wrong messages and is only likely to raise questions about how serious the company really is when it comes to data protection.
The systems that organizations use to manage customer information and respond to DSARs must allow personal data to be identified and controlled at a granular level in order to avoid this type of mistake.
5) Personal information supplied is difficult for customers to understand
The guidelines from the UK Information Commissioner’s Office advises that when organizations respond to a DSAR, the information they provide should be ‘in a concise, transparent, intelligible and easily accessible form, using clear and plain language’.
Yet the personal information supplied by organizations in the study, whether on paper or electronically, varied greatly in terms of quantity and quality. While some information, such as statements, reports and correspondence, was self-explanatory, other data was much more difficult to understand. Five organizations supplied screenshots from internal business applications, with limited explanation of what abbreviations or system codes referred to; and one supplied screenshots with parts of the information redacted. In another case, the customer was sent a data file with pages and pages of text strings which were completely unintelligible.
6) Organizations are trying to limit the scope of the information request
While the GDPR rules give customers the right to see ALL the information an organization might hold about them, nearly half of the businesses in the study asked the customer if they could be more specific about the personal information they wanted to see. Several asked for this type of clarification multiple times.Our researchers felt pressurized to request less information and commented that it seemed that organisations were trying to minimize the workload by reducing the amount of data they would need to provide.
Is it reasonable to expect customers to specify exactly what information they want if they don’t know what information the organization is holding about them in the first place?
Macro 4’s study suggests that many organizations, including major brands, still have a considerable way to go before they are judged to be fully compliant in the way they deal with DSARS. That should give cause for concern, considering the threat of fines associated with non-compliance, as well as the adverse impact on customer trust and brand reputation.
Nearly 18 months after the GDPR came into effect it remains essential for companies to keep reviewing and refining their processes and systems, both for handling information requests and for all aspects of information governance. We are now in a world where customers rightly question how their personal data is being used (or abused). Having clear, efficient and accurate processes for managing that data can be a powerful way for companies to demonstrate just how seriously they take their data protection obligations. And in a world in which customer experience is now an important differentiator, responding efficiently and helpfully to DSARs might just make the difference between retaining and losing customers.