Majority of firms fail to meet GDPR data request deadline
Over three months after GDPR came into force, the vast majority of firms have been found wanting when it comes to giving consumers access to the information that is held on them, with 70% of businesses worldwide failing to meet the 30-day deadline even though others responded within a single day.
So says a new study by Talend, carried out by 451 Research and based on personal data requests made to 103 companies across industries including retail, media, technology, public sector, finance, and travel.
Notably, of those companies which did comply, only 35% were based in the EU.
The best performing industry was financial services, but it still only managed a 50% success rate, while retail companies were one of the worst with 76% failing to respond.
The research suggests that businesses which started out offline, and those that are hindered by legacy systems, may find GDPR compliance more challenging.
Among those that met the deadline, the vast majority (65%) took more than ten days to respond and the overall average response time was 21 days.
For some, however, the response was much quicker. Some 22% of firms which responded in time – primarily streaming services, mobile banking, and technology businesses - replied within just one day, suggesting that digital service companies are more agile when it comes to GDPR compliance.
451 Research director Penny Jones said: "While many organisations understand the importance of GDPR, many are still not taking their data seriously in terms of the technologies and processes they have in place. As a result, many businesses are falling short of their GDPR obligations. They can lack the proper methods for storing, organising or retrieving data in line with the regulation's requirements."
Talend senior director of data governance products Jean-Michel Franco added: "GDPR presents an opportunity to engage with customers and build loyalty. It's vital for businesses in the digital era to have a 360-degree view of customers.
"Businesses must ensure that data is consolidated and stored in a transparent and shareable way. What's more, GDPR's one-month time limit should be viewed as an absolute deadline rather than a target. Our research shows that it is possible for some brands to respond within a day, suggesting that these brands understand fast response times will help boost customer trust."