From GDPR to CCPA, the right to data access is the Achilles’ Heel of data privacy compliance and customer trust – Part 2
This blog is the second of a series dedicated to Data Subject Access Requests (DSARs) and its importance to regain customer trust.
In the first part of this series, I explained what is DSAR and why the organizations should care about it. Now, let’s take a look at how the process can be perceived by the customers. Our recent GDPR benchmark research shows that the road can be tortuous.
A bumpy ride for customers
There has always been a significant gap between how organizations believe they perform in terms of customer experience and their customer’s perception. And data privacy is no exception: among the companies we surveyed, 93% proudly claim in their privacy legal notice that they will fulfill customer requests for data access on delays, and they document the procedure to trigger this request. But, in most cases, following the instructions reveals a huge execution gap, highlighting organizations’ failure to meet their own (legal) promises.
Through this execution gap, not only did organizations put themselves in an embarrassing situation, giving formal evidence of non-compliance, but they are exposing their inefficiencies right to the face of their customers, negatively impacting their reputation and customer’s loyalty.
Shortfalls and inefficiencies
Fulfilling DSAR proves to be a long and winding road. Our benchmark has shown that inefficiencies often start as soon as a DSAR is sent. Only a few of surveyed organizations sent a notification to confirm that they received the request and are taking care of it. Then, only 20% of organizations had a formal process for an identity check. This is a serious issue, as other research highlighted that privacy regulations, when not properly implemented, can bring security breaches for identity thefts.
Although we clearly stated that our request was related to data access and portability, it created some confusion for some. Some companies asked us to explain to them what we meant by that and even what GDPR was! Some inadvertently considered that we were requesting for a right to erasure and started to drop our personal data. All those failures show the lack of a well-defined process or difficulties to run it with the right educated resources. All this severely hurts customer trust.
Other failures were related to broken experiences, with some organizations redirecting us to other channels or to additional steps requiring our actions but then missing the follow-ups. Some organizations seemed to make the process intentionally tedious, such as a public organization fulfilling the request through printed pages physically available at their local agency which was only open during our office work hours. Some companies asked for a range of personal data before as a prerequisite to fulfill our request (ID, loyalty number, birthday, transactional data...) and then we never heard from them back when the ball was back on their side.
Others sent incomplete data, like this insurance company that forgot to mention half of the active contracts of the requester. Would you trust such a company to ensure your life, wealth and other members of your family when they can’t even find back the open contracts you have with them? Most company seem to ignore that customer who trigger their right for data access are those who care the most about their privacy and therefore might leave the company or share their experience with their peers when their request is not properly fulfilled. That could have a bigger impact on brands when the bad experiences are shared on social media.
We all know that delivering a customer 360 view can be tricky, but DSAR enables the organizations to make the process transparent to their customers and the regulators.
In addition, delay matters. Our survey has shown that many companies are struggling with the one-month delay per GDPR, either failing to respond or responding beyond the delays. Those that succeeded responded with an average delay of 16 days. Although this is good enough from a legal perspective, think about it from a customer perspective. In the digital age, a response time beyond two weeks sounds like a decade!
Not to mention, our research has shown a correlation between the speed and the quality of the answer to the DSAR: overall the 50% of companies that were able to fulfill the request in less than 16 days tended to deliver a better outcome than the other 50% that fulfilled them but with longer delays.
From the eye of the customer
A takeaway you should take from this survey is that you can’t hide your weaknesses from your customers when answering to a DSAR. When it is processed in an ad-hoc way or in a way that is not customer centric, your customer will see it. It might not result in a fine, but it hurts your customer relationship one way or another.
That’s why our recommendation is to look at this process from the eye of the customer, beyond the pure compliance side. Data governance processes should be defined with the customers’ expectations in mind.
The third and final blog post will focus on the keys to succeed.
For more information about the power of compliance on customer experience, read the Air France KLM story.