Only 15% of requests for personal data are answered in compliance with GDPR
Here at MultiMinds, we’re passionate about improving the CX, and respecting your customers’ privacy is an important aspect of the customer experience. But how well do companies actually comply to the privacy law? Four years after the introduction of GDPR, we’ve decided to test whether Belgian companies can follow up on the right of access. And the results are quite astonishing.
The right of access
One of the key points of the GPDR is the ‘right of access’: companies are obligated to respond to any requests of people wanted to view their data. The right of access consists of two phases the company needs to adhere to.
- Responding to the request without delay and within one month. The response should clarify whether the company holds personal data or not.
- If the company has personal data, they need to provide a whole range of information:
- what personal information an organisation holds about you;
- how they are using it;
- who they are sharing it with;
- where they got your data from.
How we tested compliancy with GDPR in Belgium
17 colleagues at MultiMinds sent requests in their own name (e.g. with their private email address) to assert their right of access. They selected companies they are customers with, so they were sure the response to the request had to be positive.
We then evaluated every request according to strictly defined parameters. They came down to these questions:
- Was the method of request easy and clear?
- Did the company respond?
- How quickly did they respond? (Within one month, as legally required)
- Was the response clear and correct?
- Did the company provide insight into your personal data?
- Was the data complete?
The results
Our colleagues put in 118 requests in total with 69 different companies: from banks to retailers, insurance companies, travel agencies and telecommunication companies. Both small, medium and big companies were contacted, and they varied from Belgian to international.
Of those 118 requests:
- 79 were answered in time.
- 10 were answered after the legal period of one month.
- 29 were left unanswered.
Of the 79 timely responses:
- 62 were incomplete (not all data was provided).
- 17 were complete.
Of all requests, only 14,4% were answered on time and with complete data.
Automation is key
When we look beyond the staggering number of failed or incomplete requests, there are some interesting insights to gain. We looked at the 17 complete requests and concluded that most of them had a fully automated process behind them: from the request form to the organization’s reply. Furthermore, the data they delivered was clearly prepared by an automated tool that had access to different data sources and touchpoints.
And that’s not a coincidence. Having a centralized data platform enables these companies to provide automated responses fast and deliver data in standardized format and compliant with all regulations.
Why privacy matters
For any company, respecting your customers’ privacy is an essential part of the customer experience. In fact, requesting your data should be just as smooth as buying a product. It shows that you handle their data with care and respect their privacy. Moreover, one individual could sue any company for not following GDPR regulations, which could lead to hefty fines.
Make the request accessible
An important aspect of your privacy policy is the ease with which you can request your data. Too many companies have complicated processes that are not streamlined at all. It often feels like you are being sent from pillar to post. Imagine the same would happen if you were in the process of buying a product, and you had to try 4 different channels before you could actually reach somebody.
In other words: your customer experience is not only about selling smoothly. Every form of contact, for whatever reason, should run smoothly. And especially if we’re talking about privacy, it gives off a very bad aftertaste if a company is not transparent or helpful at all.
Security matters
Another weak point we found in a lot of companies, was the security of the request. As personal data is extremely … well, personal, companies should make sure they are sharing the data with the right people. In a mobile app or online platform, your identity is confirmed when you are logged in. If you have to make the request on a website, companies should ask for identification.
But beware: they are only allowed to ask for a copy of the front of your ID, not the back. Another mistake we’ve seen time and again. So beyond the accessibility of the request, make sure the process is also secure. You wouldn’t want to send somebody’s personal data to the wrong people. And there are privacy activists who are very keen on finding leaks.
What went wrong with the others?
When analysing the incomplete responses, we suspect that the process was partly or completely manual. As soon as there is any manual work involved, the chance of errors increases dramatically. A few anecdotes illustrate the problems perfectly.
The bank that ghosted us
One bank made it awfully hard to request our personal data. We were sent from the privacy page to the app or to an online helpdesk. The helpdesk was a chatbot that did not understand the request. After numerous attempts, we finally chatted with a human. He asked why we needed our data, so we pointed out they had a legal obligation to do so. After which the person at the helpdesk simply closed the chat and we never heard from the company again.
The lesson: making individual and often unqualified people responsible for your privacy policy is not a good idea.
The staff member that did their best
One clothing store clearly didn’t have the data infrastructure to deal with the request. One nice staff member who worked for a retailer did her best to provide all the data, by taking screenshots from their CRM system and sending them through mail. The data was incomplete, but at least the intentions were good.
The lesson: you need the right tools and infrastructure to handle requests appropriately.
The letter that never made it
Some companies deliberately make it very hard to enter your request. They hide the contact link deep in their privacy page, send you through different channels and even make you fill in a form. Multiple channels and no clear process for the request inevitably lead to mistakes. One company won the absurdity prize. They required us to print and fill in a form, and send it by mail. The form clearly mentioned that the letter did not require any stamps. Two weeks later, the letter came back because … it wasn’t stamped.
The lesson: make it easy for people to request their data. Too often, the procedure is unclear or contains mistakes. Even us, digital natives, had to jump through hoops and spend way too much time before we found how to make a request. For non-natives it must be nearly impossible. Make sure you have a clearly defined and user-friendly process that works the same on every channel and for every customer.
The company that can’t decide
Another common problem is the delivery of data. Companies that do it well, provide a file that anyone can open, and is easily readable and understandable, like a pdf. Other companies just send a zip-file with huge amounts of data, distributed over several csv-files. Not very user-friendly. They legally comply, but they make it very hard for the average customer to check the data. You need some technical knowledge to handle these files.
But one company had an inexplicable process. Several requests were made to the same company by different people. Some requests were left unanswered, but in some cases we received our data. One was a pdf, which is a good way to provide data. Another was a pdf with a link to the data, which led to an XML-file where you had to decode the data yourself.
The lesson: have a system in place to deliver the data correctly and in a user-friendly way.
The conclusion
Four years after the introduction of GDPR, many companies still have a lot of work to do. Every company has a privacy page, which is legally obligated. But once you actually make a request for your right of access, it goes wrong way too often. It leads us to the conclusion that too many companies have cosmetic solutions that seem to follow the law on the surface. But they haven’t actually installed any data architecture or process to deal with requests consistently and correctly.
We wonder if these companies get requests often. The faulty procedures imply that such cases are quite rare, since they appear unorganized and unprepared.
It’s very surprising that so many companies – even big ones and digital ones – don’t succeed in following the legal procedure. The fines of not complying with GDPR can go up to 20 million euros or 4% of the turnover.
The data subjects’ rights (Articles 12-22) — Individuals have a right to know what data an organization is collecting and what they are doing with it. They also have a right to obtain a copy of the data collected, to have this data corrected, and in certain cases, the right to have this data be erased. People also have a right to transfer their data to another organization. (Source: https://gdpr.eu/fines/)
Moreover, the risks of privacy activists or security breaches are much higher if no system is in place to safely process and protect customer data. This is not only a security concern, but it’s also a matter of respecting your customers. As such, we consider privacy protection an essential part of the customer experience.