The data industry is in disarray. Recent scandals surrounding invasion of privacy on social media has brought to light how vulnerable our data really is. For a long time, personal data has been leaked, shared, tracked and analysed without the users’ prior knowledge or consent. Only now have consumers been offered an olive branch: more control over their data.
With the General Data Protection Regulation (GDPR) now in force, each individual in the European Union now has a legal say over how their data is stored and used. There are two ways that individuals can exercise their enhanced rights under GDPR: firstly, consumers have the right to request that companies completely ‘forget’ (or rather, delete) all data they hold on the individual. This ‘right to be forgotten’ gives consumers the ability to request the removal of their personal data from an organisation’s database.
Secondly, individuals can request to find out what personal data organisations hold on them, through subject access requests (SARs), which must be answered within one month. This means that organisations have just 30 days to search, locate and provide all the data they hold on that individual – a requirement that many organisations will struggle to meet.
Trust in businesses eroded
Consumers welcome their enhanced data privacy rights, and with the deadline for compliance now passed, businesses can expect an onslaught of data privacy requests coming their way. Our research found that two in five (40%) UK consumers plan to exercise their rights within the next six months, and financial services companies, including banks and insurance companies, are in the firing line, with 56% of consumers saying they are most likely to exercise their rights against this industry.
Consumers have little trust in organizations to safeguard their personal data: two in five (38%) believe most businesses don’t know how to protect their data. And worryingly, the majority (79%) don’t believe that organisations will be able to find and/or delete all of the personal data that is held on them.
Trust in businesses has been eroded by breaches and high-profile cases where firms have shown a lack of understanding of how the consumer data they hold is used or shared. In the current climate of privacy invasion and fear of further infringement, nearly half (47%) of UK consumers says they will exercise their data privacy rights if a company that holds their personal information suffers a data breach.
Over half (56%) of UK consumers say they are planning to exercise their rights under GDPR because they don’t feel comfortable having personal data sit on systems that they have no control over, while others want to know exactly what information companies hold on them. Surprisingly, nearly one in 10 (8%) consumers will exercise their data privacy rights simply to irritate a company that they feel has mistreated them.
24 June: a new date for your GDPR diary
While there are many different motivations for making a GDPR request, the result will be the same: the number of requests will increase dramatically, and organisations should already be fully prepared the influx of these types of requests. With a 30-day turnaround required for subject access requests, many organisations may already be breaking the new rules as early as 24 June.
With data continuing to grow at an annual rate of 49% globally, according to our 2017 Data Genomics Study, turning around subject access requests within the required timeframe under GDPR will be a huge challenge for most businesses.
In theory, data should be held securely within every organisation, with clear structures, specifications and restricted access rights. Should anyone need access to information, it should be relatively easy to find. However, the reality is that data is scattered all over the place: on a scanned document buried within a customer services server file, in an event attendance list or a phone call recording. This is unstructured data, and this is where the 30-day timeline makes compliance very difficult.
Barricade against the SAR flood
A critical first step to achieving regulatory compliance is to implement a holistic approach to managing data that goes beyond just effectively storing it. Companies need to have complete visibility into consumer data, including what information is stored, how it is used, who owns it, accesses it and whether it counts as Personally Identifiable Information (PII) under GDPR. This approach must include the ability to automatically classify large volumes of digital data, scanning and tagging it in a granular, intelligent manner to ensure that information is managed effectively and can be used on-demand.
Technology aside, instilling a culture of digital compliance and responsibility among employees will prove the ultimate driver for long term change. And there’s no question about whether this is needed: an overwhelming majority (91%) of organisations admit that they lack a culture of good data governance.
In light of recent events and changes in the law, consumers need much more reassurance when it comes to what personal data companies hold on them, and how it is shared and used. The most successful companies will be those that are able to demonstrate that they are managing and protecting personal data in a compliant way across the board.