GDPR may have been in force for over 18 months but companies are still falling short when it comes to data subject access requests (DSARs), with a new global study showing nearly three-fifths (58%) of businesses have failed to meet the one-month deadline, putting them in breach of the regulation.
Data management specialist Talend first carried out research in the DSAR issue in September last year, and found that 70% of the companies it surveyed reported they had failed to provide an individual’s data within one month.
One year on, Talend surveyed a new population of companies, as well as the companies which reported a failure to comply in the first benchmark, in order to map improvement.
Although the overall percentage of companies who reported compliance has increased from 30% to 42%, the rate remains worryingly low.
And, as Talend senior director of data governance products Jean-Michel Franco, explains, "to fully comply with GDPR it is necessary to understand where the data is, how it is processed and by whom, as well as ensure that the data is trusted".
Franco argues that, with more data protection legislation coming into force next year - including the California Consumer Privacy Act, the PDPA in Thailand and the LGPD in Brazil - organisations need gain a 360 degree view of customers and empower the people in charge of data protection with more automated data processing and delivery.
The research splits the companies which are struggling to comply into two groups, "the laggards" and the "could do better".
Public sector organisations and companies in media and telecoms industries fall into the first, more serious category.
Only 29% of the public sector organisations could provide the data within the one-month limit, while only 32% of media and telecoms firms reported that they could provide the correct data on time.
The "could do better" category, which includes retail, financial services, travel, transport and hospitality firms, barely reach an average success rate.
Compared to last year, retail companies improved their success rate with 46% reporting they provided correct responses within the one-month timeframe. A greater proportion of companies in this industry started to take a customer-centric approach to both improve the experience and internal processes.
The same situation occurs with companies in finance as well as in travel, transport, and hospitality industries. In addition, the latter are considered the best performers, representing 38% of all the organisations which provided data in less than 16 days.
One of the main reasons companies failed to comply was the lack of a consolidated view of data and clear internal ownership.
In the financial services industry, for example, clients may have multiple contracts with a company that may not be located in one place, making it difficult to retrieve all necessary information. Processing the requests remains very manual and often involves the business users.
In addition, processing DSARs can be very costly; according to a recent Gartner survey, companies spend, on average, more than $1,400 to answer a single request.
The research also highlights the lack of an ID check during the data request process. Overall, only 20% of the organisations surveyed asked for proof of identification. Moreover, of the companies that reported asking for proof of ID, very few use an online and secure way of sharing documents. Instead, most of the time, copies of identification were provided by email.
The requesting process also remains cumbersome, with reported difficulties including finding the right email address to send the request, and follow up emails because the data is incomplete or because the files cannot be opened.
Franco concluded: "Organisations must do more to regain the trust of their data subjects and be aware that they risk very significant fines and significant reputational damage in the event of non-compliance and especially through class actions – both of which could prove to be severely detrimental to a business."