A survey conducted last September by Talend (a US global leader in cloud data integration solutions) found that 70% of surveyed companies from around the world, that conduct business in Europe, did not meet requests to provide individuals with a copy of their personal data within one month. This is also known as "Subject Access Request" (SAR) arising from article 15 (right of access by data subject) and article 20 (right to data portability) of the GDPR. Under the new data protection law, companies are obliged to provide the individual with personal information kept on record within one month of request.
It transpires that 35% of EU-based companies meet SARs within the legal time frame when compared to the 50% of companies outside Europe. This research-based exercise was conducted on 103 companies across a myriad of industries including retail, media, technology, public sector, finance and travel. It was also concluded that although many of those surveyed understood the importance of GDPR, many others were not taking any action when it came to personal data in terms of technology and processes.
As Talend rightly pointed out, this matter was a concern given that SARs are not something new that came into force under GDPR, but rather were already present in the previous Directive. Findings showed that the average response time was 21 days, while 65% responded within 10 days, only to be surpassed by mobile banking and tech companies which generally responded within one day. On the other hand, businesses which started offline increasingly struggled with legacy systems and were significantly slower to respond.
Talend's senior director of data governance products, Mr. Jean-Michel Franco stated that "GDPR presents an opportunity to engage with customers and build loyalty. It's vital for businesses in the digital era to have a 360-degree view of customers." Moreover, "businesses must ensure that data is consolidated and stored in a transparent and shareable way."
One certainly looks forward to comparing results with a similar survey conducted on the first anniversary since the implementation of GDPR to see if there have been any significant positive changes.
Was the impact too soft?
Those who have a keen interest in this topic of law, or have been somehow impacted through involvement in their profession, surely agree that GDPR was both an ambitious and probably the toughest piece of legislation in the sphere of privacy and security to date. Legislators were committed to improved safeguards that guaranteed users better control over their personal data.
While people might associate GDPR with never-ending requests for consent through pop-ups and e-mails, especially before the 25th of May 2018, the EU had better reasons to give people more control over their personal data. All EU citizens and residents who use computers and other electronic devices have a say over those companies who handle their personal data. This means that people are only "lending" their personal data and it also means that it remains theirs. EU citizens and residents have a right to:
- information on how their data is processed;
- access of their personal data;
- have their data corrected;
- have their data erased (e.g. unlawfully used);
- object if their data is used for marketing purposes;
- restrict the use of their data for specific purposes;
- request to have decisions involving personal data made by automated processing to be made by natural persons not only computers.
GDPR provides for enforcement in case of violation of the regulation by allowing authorities to impose hefty fines of up to 4%of global revenue or 20 million euros, whichever the higher. Therefore, GDPR places a lot of responsibility on companies that process personal data, especially in those circumstances where data is collected without authorisation or reason.
Another requirement imposed on companies is that of having appropriate data security, transparent processing and the responsibility of notifying the persons affected by a breach within 72 hours. Unfortunately, this obligation has not been followed by big tech companies like Facebook who have been reported of notifying their customers about their data breach two months later.
Despite GDPR entering into force more than nine months ago, to some experts in the field it has been somewhat of a mixed bag. Companies may have updated their privacy policies and tools to provide users with more control, and adopted ways of deleting data on request. However, many others have engaged a more lenient approach and may still be in default especially when it comes to consent and control. This is disappointing when one considers that the regulation was a forward-looking law promoting 'privacy by design' (privacy at the initial stages of the developing process of the product). Moreover, since the media focused on data breaches by big tech companies and the staggering fines imposed, the perception might have been that GDPR only concerns big companies like Facebook and Google.
Raegan MacDonald, the Head of EU Public Policy at Mozilla said that, "2018 was the year of implementation, while 2019 will be the year of enforcement." Rightly so if one had to follow the continuous growth of the Irish Data Protection Commissioner office where the above-mentioned big tech data have their EU headquarters.
On the other hand, one cannot discount the fact that according to Brussels (Reuters), European data protection regulators received over 95,000 complaints about possible data breaches within the first eight months after the adoption of GDPR. Clearly, it can be said that GDPR had a positive impact on people as it has made them more aware of the issues regarding personal data.
If one had to sum up the impact of GDPR in 2018, one can agree that there has been an increase in awareness in handling of personal data that has encouraged companies to change their approach. It is undoubtedly certain that 2019 will see some big investigations while GDPR's impact will keep on growing.
Article by the E&S Group Legal Department