With the anniversary of GDPR looming, many UK businesses are still struggling to process requests from customers who are exercising their right to access the personal information stored about them, with a third of companies still non-compliant.
So says a new study from Unicom Global division Macro 4, which evaluated how 37 businesses that operate in the UK responded to data subject access requests (DSARs) made during April 2019.
The sample consisted of 17 financial services companies, seven utilities and telecommunications providers and smaller numbers from a variety of other sectors, including online retailers, loyalty card operators, and hotel and leisure companies.
Of the businesses evaluated, about a third (12) were found to be non-compliant, with five overshooting the time limit of one month that is specified by the regulation.
Among the issues were businesses including personal information about someone else within the data that was supplied; providing information in an electronic format that was difficult to access and incomprehensible when opened; and failing to complete the request at all, due to systems or process failures.
Macro 4 marketing manager Lynda Kershaw said: "The overall picture painted by the study is that even after a year, many businesses – including some major global brands – still do not have efficient systems in place to manage GDPR information requests from their customers.
"In many cases the customer service agents we spoke to did not immediately understand what they were being asked for, or how to respond. Nearly half of the businesses came back to the customer with multiple follow-up queries for more information or clarification before they could process the information request – and three organisations came back more than three times."
Of the 12 organisations that were not fully compliant, five took longer than the permitted one calendar month to send the personal information. One said they would respond within 40 days, giving themselves more time than is stipulated by GDPR.
Two businesses included personal information about another individual (in one case the email address, national insurance number and mobile phone number of the customer’s partner), so breaching that person’s right to privacy
Kershaw added: "It really felt like some organisations were trying to make the request easier to handle by reducing the amount of data they would need to collate. But if you don’t know what personal information a company is holding on you, how can you be specific about what they should send you?
"One notable area where customers were expected to jump through hoops was voice recordings – sometimes they were asked to provide precise dates and times of calls, or who they spoke to, for example. In most cases that just isn’t practical."