Millions say they will demand to see their data under GDPR

DataIQ News

Millions of UK consumers may submit subject access requests (SARs) to find out what personal information businesses hold on them after the GDPR goes live in May next year, with financial services, social media sites and mobile network providers in the firing line.

That is according to a new study by Exonar, a provider of GDPR data mapping and data inventory solutions, which set out to identify what people know about how their privacy rights will change in May 2018.

While the findings showed that the majority (70%) of people have no idea about the changes, once GDPR and the term SAR was explained to them, 57% said they would raise a SAR.

Under the current Data Protection Act, companies can charge up to £10 for a SAR. Under the GDPR, a request for personal information is free. The respsone time has also been cut from 40 days to one month, piling more pressure on data controllers.

When it comes to which sectors face the most requests, financial services topped the charts with a third of people saying they would submit a SAR to their bank and 16% to their credit card provider. The study claims this could result in around 21 million current account holders raising a SAR and around a further 8 million credit card holders also asking for information held on them.

Other targets include social media companies (16.4%), mobile network providers (11%), utilities (8%), insurance companies (8%), loan companies (5%), and retailers (5%). A further 9% would raise a SAR on a current employer, 4% on an ex-employer.

Exonar chief operating officer Julie Evans said companies need to make the most of the time they have before the Information Commissioner's Office starts its consumer publicity campaigns: "Companies often ask us how they can predict how many SARs they will receive. It's an impossible task as so much of it will come down to consumer awareness.

"At the moment all communication efforts from the ICO are focused on getting companies ready for the GDPR, but come next Spring, we expect the focus to change as they start to inform the general public about the changes. If the ICO succeeds in raising consumer awareness then, as this research shows, the floodgates will open. Businesses really do need to make the most of the remaining months to get their data house in order."

The research also found that consumers are worried about how their data is managed today: 27% are concerned their data could be sold, and another 27% said they worried about hacking.

As part of the research, it was explained that a SAR could run into hundreds of pages. Almost a fifth (18%) stated 'shock' that a company could hold so much about them and everything they have ever done, with 15% saying that if they held that much information they would want to know exactly what it was and a further 10% went as far as to say they'd want companies to forget about them altogether.