More than 18 months after the European General Data Protection (GDPR) went into effect, companies and public sector organizations worldwide are still having a very difficult time complying with a key GDPR provision that requires them to respond to any Data Subject Access Request (DSAR) in less than a month. In fact, Talend’s new survey shows that less than half (42%) of all companies and public sector organizations were able to respond to a Data Subject Access Request within the stipulated time period.
Methodology of Talend report on Data Subject Access Requests
This new Talend survey follows up on the same study from a year earlier, when results showed that 70% of companies and organizations were unable to respond to a Data Subject Access Request in a timely manner. At that time, the GDPR was still relatively new, and the poor compliance rate was simply chalked up to the fact that organizations were still reacting to a fundamental shift in the data privacy landscape. However, results appear to be little improved one year later.
As part of its report on Data Subject Access Request compliance, Talend surveyed 103 companies and organizations worldwide, with 84% of them based in the EU. Another 8% of survey respondents were North American organizations doing business in Europe, and the remaining 8% of survey respondents were Asia-Pacific organizations doing business in Europe. In order to get a truly comprehensive view of GDPR compliance with Data Subject Access Requests, Talend surveyed organizations in a variety of different industries and sectors, including retail, financial services, travel, transport, hospitality, media and communications.
Key results of Talend report
Based on these survey responses, Talend was then able to identify several different types of organizations. The so-called “Laggards” were the least effective in responding to Data Subject Access Requests. Within this category, public sector organizations (i.e. government entities) scored particularly poorly: only 29% of them were responding in a timely manner to Data Subject Access Requests. In addition, media and telecommunications companies also scored very poorly, with only 32% of them responding in a timely manner.
A step up from the “Laggards” was the “Could Do Better” companies. These included companies in the retail, financial services, travel, transport and hospitality industries. For example, only 46% of retailers are able to respond to Data Subject Access Requests in a timely manner. Overall, says Talend, “These new results show clearly that DSARs is still the Achilles’ heel of most organizations.”
How to improve GDPR compliance rates
So what can companies and organizations be doing in order to score better on GDPR compliance for Data Subject Access Requests? One of the biggest barriers to success, says Talend, is the lack of automation in processing requests. Even at the most sophisticated companies, there is still not a consolidated view of customer data, and there is not clear internal ownership of that data. Thus, it might take several different departments of a company, all coordinating their actions in an awkward manual manner, to track down all the data on a customer after he or she has filed a Data Subject Access Request.
Another factor, as might be imagined, is the sheer cost of GDPR compliance with Data Subject Access Requests. According to Gartner, the average company spends an average of $1,400 to answer a single Data Subject Access Request. That suggests that the process is still very manual and very time-consuming at most organizations. The only good news here is that organizations can charge a reasonable fee if a Data Subject Access Request is manifestly “excessive” or “unfounded.”
Best practices for handling Data Subject Access Requests
Certainly, companies have had plenty of time to master the GDPR compliance process by leveraging commonly used electronic means to process personal data requests. Article 15 of the GDPR clearly lays out what is meant by “the right of access by the data subject.” It states that data subjects are allowed to inquire about the purposes of the data processing, the categories of personal data being collected, the retention period for any personal data, and the existence of automated decision-making within a company based on that personal data.
For Data Protection Officers at organizations, all of these inquiries are reasonable and not out of the ordinary. For that reason, many data privacy experts and government entities suggested that companies simply take a checklist approach to GDPR compliance. For example, the UK Information Commissioner’s Offices suggested using a checklist so that organizations would be able to respond to a Data Subject Access Request within the one-month time frame stipulated by the GDPR.
Talend also recommends that companies tighten up their process for requesting user ID documents in response to a Data Subject Access Request. For example, only 20% of organizations currently ask for proof of ID when a customer is making a Data Subject Access Request. And of those that do, none of them have a secure or encrypted mechanism for handling sensitive user ID documents (which might help to explain why so many companies fail to ask for simple proof of ID).
New Data Subject Access Requests on the horizon
The bigger picture, says Talend, is that the GDPR is no longer the only data privacy legislation that companies doing business around the world must consider. And with each new piece of data privacy legislation, it is going to become harder and harder to keep up with data subject access requests. For example, California is set to debut the California Consumer Privacy Act (CCPA) in January 2020; Brazil is set to debut its new LGPD data privacy law in August 2020; and Thailand is set to debut its new PDPA data privacy law in May 2020. Thus, compliance with data subject access requests will no longer just be a “European thing” – if doing business in North America, South America or Asia-Pacific, companies will also need to keep their eyes on the unique needs of the data subject access requests in those geographic regions.
At the end of the day, organizations need to wake up to the post-GDPR data privacy reality. The need for Data Subject Access Requests is not going away anytime soon, and in fact, the need for policies and procedures to handle these Data Subject Access Requests is intensifying on a global scale. As the new Talend report suggests, a majority of companies need to be doing a better job with their compliance rates.