The General Data Protection Regulation (GDPR) was supposed to rebuild trust in the way businesses manage our personal data. That is because the regulation forces organizations to be more open and transparent about what personal data they gather, what they do with it and how they protect it. <\/p>\n
However, in some respects the GDPR is having the opposite effect. A recent study conducted by Macro 4 reveals problems in the way companies are handling data subject access requests \u2013 an important consumer right enshrined in the GDPR \u2013 which threaten to damage consumer trust.
\nUnder the terms of the GDPR, consumers can ask to see all personal data that an organization holds on them. This is known as a data subject access request (DSAR) and companies must supply this information free of charge, within one calendar month. <\/p>\n
Macro 4\u2019s study evaluated how effectively DSARs are being handled by a sample of 37 UK enterprises, including large financial services companies, utility companies and telecommunications providers.The results were surprising.You would expect large, household-name brands to have adequate systems in place to handle customer requests, and to be diligent in meeting their compliance obligations. However, the research uncovered six ways in which companies are failing to meet the requirements of the GDPR and are delivering a level of service that is well below expectations.<\/p>\n
1)\tCompanies are failing to meet DSAR deadlines<\/strong><\/p>\n Around a third of organizations in the sample were not fully compliant with GDPR rules for handling DSARs, and 14 per cent took longer than the permitted one calendar month to supply the personal information requested. One company indicated that they would respond within 40 days, giving themselves more time than is allowed by the GDPR.<\/p>\n Breaking a deadline agreed with the customer is a cardinal sin, even more so when it results in regulatory non-compliance. Customers might well start asking themselves, \u201cWhat other rules is this organization breaking that I should be worried about?\u201d In 59 per cent of the companies our researchers contacted, the first person who dealt with the customer \u2013 usually a call center agent \u2013 was not clear about the correct process to follow in order to handle a DSAR (and in some cases was even unsure what an information request actually is). Agents had to put the customer on hold, check with colleagues or consult their systems to find out what to do.<\/p>\n A lack of knowledge of the process led to agents being overly optimistic about how long it would take to turn around information requests. Around 16 per cent did not know how long it would take; 14 per cent quoted two working days or less; and 11 per cent cited a turnaround time of between five and 15 working days. Follow-up correspondence invariably stated a longer time \u2013 typically the one month legal maximum \u2013 or in practice the whole process just took longer than promised by the agent. <\/p>\n All in all, the customer experience was frustrating, with nearly one out of five calls lasting longer than 15 minutes (and one online chat conversation extending over two days), and mixed messages about timescales leading to confusion and ultimately disappointment. <\/p>\n 3)\tRepeated customer call-backs and follow-ups are required<\/strong><\/p>\n The survey also highlighted basic process inefficiencies which led to repeated customer call-backs. Eight businesses had to make one such follow-up, six made two, and one made three follow-ups. Three organizations had to follow up more than three times. <\/p>\n 4)\tPersonal data belonging to other customers is being shared in error<\/strong><\/p>\n Two businesses in the study made the mistake of including personal information about another individual when responding to information requests. In one case the email address, social security details and mobile phone number of the customer\u2019s partner were included. <\/p>\n Sharing another person\u2019s data is a clear breach of that individual\u2019s privacy and a serious GDPR compliance failure. For customers concerned about how their own data is being handled (which, by definition, anybody making a data subject access request would be) this sends all the wrong messages and is only likely to raise questions about how serious the company really is when it comes to data protection. <\/p>\n The systems that organizations use to manage customer information and respond to DSARs must allow personal data to be identified and controlled at a granular level in order to avoid this type of mistake.<\/p>\n
\n
\n2)\tCustomer facing staff are unsure of how to handle information requests<\/strong><\/p>\n
\nIn around half of the firms surveyed the agent failed to capture all the information needed from the customer to process the request in a single interaction. These companies needed to contact the customer again \u2013 by phone, email or post \u2013 to request additional information or verification that was not mentioned on the first call. <\/p>\n