Over half of companies surveyed were not able to meet data access and portability requests within the GDPR-specified one-month time limit
58% of surveyed businesses worldwide failed to address requests made from individuals seeking to obtain a copy of their personal data as required by GDPR (General Data Protection Regulation) within the one-month time limit set out in the regulation, reveals updated research from Talend (NASDAQ: TLND), a global leader in cloud data integration and data integrity.
In September 2018, Talend released the results of its first GDPR research benchmark, which was aimed to assess the ability of organizations to achieve right to access and portability compliance with the European regulation. At that time, 70% of the companies surveyed reported they had failed to provide an individual's data within one month. One year later, Talend surveyed a new population of companies, as well as the companies which reported a failure to comply in the first benchmark, in order to map improvement. Although the overall percentage of companies who reported compliance increased to 42%, the rate remains low 18 months after the regulation came into force.
"These new results show clearly that Data Subject Access Rights is still the Achilles' heel of most organizations," said Jean-Michel Franco, Senior Director of Data Governance Products at Talend. "To fully comply with GDPR it is necessary to understand where the data is, how it is processed and by whom, as well as ensure that the data is trusted. With several data protection regulations coming into force in the US (California Consumer Privacy Act in January 2020), across APAC (PDPA in Thailand in May 2020), and in Latin America (LGPD in Brazil in August 2020), organizations need to start a data governance transformation to deliver a 360 degree view of customers and empower the people in charge of data protection with more automated data processing and delivery. Organizations must do more to regain the trust of their data subjects and be aware that they risk very significant fines and significant reputational damage in the event of non-compliance and especially through class actions – both of which could prove to be severely detrimental to a business."
Major findings of the research benchmark include:
The "Laggards": Public sector organizations and companies in media and telecommunications industries are struggling to meet the requests
The research revealed that only 29% of the public sector organizations surveyed could provide the data within the one-month limit. With an increasing use of data and new technologies - facial recognition, artificial intelligence - by the public sector to improve the citizen experience, the need for more integrated data governance is a must-have for 2020 and beyond. The same observation applies to companies in the media and telecommunications industries; only 32% of these organizations reported that they could provide the correct data on time.
The "Could Do Better": Retail, financial services, travel, transport and hospitality firms barely reach an average success rate
Compared to last year, retail companies improved their success rate with 46% of such companies reporting they provided correct responses within the one-month limit. A greater proportion of companies in this industry started to take a customer-centric approach to both improve the experience and internal processes. The same situation occurs with organizations in finance as well as in travel, transport, and hospitality industries. In addition, the latter are considered as the best performers as companies in that industry represent 38% of all the organizations who provided data in less than 16 days.
The lack of automation remains a barrier to success
One take-away from this new benchmark is the lack of automation in processing requests. One of the main reasons companies failed to comply was the lack of a consolidated view of data and clear internal ownership over pieces of data. In the financial services industry, for example, clients may have multiple contracts with a company that may not be located in one place making it difficult to retrieve all necessary information. Processing the requests thus remains very manual and often Involves the business users, e.g. the insurance representatives in the case of an insurance company. In addition, processing Subject Right Requests can be very costly; according to a recent Gartner survey, companies "spend, on average, more than $1,400 to answer a single SRR."
ID proof and requesting process should be improved
The research also highlights the lack of an ID check during the data request process of the individual requesting data. Overall, only 20% of the organizations surveyed asked for proof of identification. Moreover, of the companies surveyed that reported asking for proof of identification, very few use an online and secure way of sharing ID documents. Instead, most of the time, copies of identification were provided by email. The requesting process also remains cumbersome with reported difficulties including finding the right email address to send the request, and follow up emails because the data is incomplete or because the files can't be opened.
The full results of the benchmark will be presented by Jean-Michel Franco at the Data Governance Winter Conference in Delray Beach, Florida. For more information about how to deliver trusted data at speed and meet new and future data challenges, read the Talend Data Trust Readiness Report.
About the Research
Talend conducted market research to assess companies’ ability to comply with the new GDPR regulation. The research involved 103 GDPR-relevant companies across the globe (EU-based companies [84%], and NORAM-based companies [8%] and APAC-based companies [8%] that conduct business in Europe) from a range of industries (retail, media, technology, utilities & telecommunications, public sector, finance, and travel, transportation & hospitality).
The analysis involved the following:
- Assessing whether companies had updated their privacy policies to account for GDPR
- Researching whether companies had dedicated ways for consumers to request GDPR data (i.e., the personal information the company has on them)
- Requesting GDPR data and assessing how quickly and thoroughly companies comply
- Requesting GDPR data in a way that may be directly accessed and reused by the individual (data portability)
 Gartner: 5 Areas Where AI Will Turbocharge Privacy Readiness, Bart Willemsen, 20 August 2019