From GDPR to CCPA, the right to data access is the Achilles’ Heel of data privacy compliance and customer trust – Part 1
This blog is the first of a series dedicated to Data Subject Access Requests (DSARs) and its importance to regain customer trust.
In December 2019 we released the second edition of our data privacy benchmark, and this year again, results are shocking: 18 months after GDPR came into force, 58% of surveyed companies are not performing with data privacy. The issue relates to the right of access, which gives individuals the right to obtain a copy of their personal data. This is worrying for companies not only since:
- regulators reported that Data Subject Access Requests (DSARs) make many of the complaints they receive and started to deliver fines accordingly;
- failing to meet this requirement directly and negatively impacts customer relationships.
Targeting the companies that failed to respond to our previous survey one year ago, we’ve also shown that only 32% of organizations that failed in 2018 have since fixed the issue. Although this shows a progress, it also hints that meeting this requirement might be tougher than expected, while many organizations might be overwhelmed with those requests up to a point that they fail to deliver in a professional way, and on delays. Organizations are struggling to materialize data privacy properly; however, they are taking it very seriously according to a recent LinkedIn survey that shows that the Data Privacy Officer is the fastest growing job across Europe together with the Artificial Intelligence Specialist.
In this first blog post, I’ll explain what is DSAR and why it is so important for the organizations.
What is DSAR?
Most of data privacy regulations - such as GDPR in Europe, CCPA in California, PIPEDA in Canada, PDPA in Singapore, LGPD in Brazil, DPA in Philippines, and PoPI in South Africa… - include Rights for Data Access that empower individuals with the control over their personal data. Individuals, referred to as data subjects (depending on regulations, those can be consumers, stakeholders in a B2B relationships, employees, members…) can make a subject access request verbally or a written one. Organizations have a limited delay to respond to this request (one month with GDPR, 45 days with CCPA, 15 days with LGPD…) and generally cannot charge a fee to fulfill the request.
Why should companies care about Data Subject Access Rights?
There is a misconception that data privacy is only a matter of governance, risk, and compliance. Indeed, with the rise of regulations such as GDPR or CCPA and the related record fines that they can trigger in case of violations, data privacy has now caught the attention of the execs.
But, first and foremost, data privacy is about customer relationships and digital transformation: the real challenge is to efficiently use customer data while protecting it according to customer’s privacy preferences. Organizations should not only care because it is regulated, but also because their customers urge them to do so. A Pega survey has shown that a whopping 82 percent of EU consumers welcome their new data privacy rights including the right to know what personal data organizations have about them and to have control over them.
Dealing with the surge
Customers are exerting their data access rights and as a result, organizations are facing a surge of requests, and will face even more when CCPA enters into effect in 2020: A Cap Gemini survey indicates that one third of organizations have received more than 1000 requests (including 50% of US organizations). On its side, ICO, the UK regulator, revealed that 46% of the GDPR complaints received so far are linked to this topic.
Following up the complaints, fines are popping out as well. In the highest fine delivered so far by the German data privacy regulator an online food delivery service got fined for non-observance of the rights of data subjects. In addition, the Austrian Data Privacy activist NGO, NOYB (None Of Your Business) has filed a wave of complaints against 8 streaming companies, including Amazon Prime, Apple Music, Soundcloud, Spotify, Youtube, along with 3 smaller businesses. Finally, we are only at the beginning of a wave of collective actions, where a group of customers might sue organizations when they fail to respect their privacy rights including answering to their data access requests. While GDPR allows that to some extent, CCPA might bring this to a whole new level in a litigious country where class actions have turned into a common phenomenon.
What’s also important to note is that DSARs are expensive, time-consuming, and really hard data crunching work unless organizations streamline the fulfilment process and automate modern data management technologies such as a data catalog, data integration and privacy centers. Gartner estimates that a DSAR costs an average $1406 and that only 15% of organizations can fulfill them in less than one week. With the surge of DSAR, the related costs are exploding, and you no longer can handle them as an ad hoc, manual process.
The second blog post will focus on the customer side and how painful the DSAR process can be.
For more information about achieving global data privacy compliance, read this practical guide on data privacy compliance.