GDPR one year on: UK businesses struggling with requests for personal information

Nearly a third of UK businesses in a new study are non-compliant when responding to GDPR personal information requests

Crawley, UK, May 22, 2019 – A year after the GDPR came into effect, a new study suggests many UK businesses are struggling to process requests from customers who are exercising their right to access the personal information stored about them. Of 37 businesses evaluated, primarily large financial services organizations, utilities and telcos, around a third (12) were found to be non-compliant, with five overshooting the time limit of one month that is specified by the regulation.

Among the other reasons for non-compliance were businesses including personal information about someone else within the data that was supplied; providing information in an electronic format that was difficult to access and incomprehensible when opened; and failing to complete the request at all, due to systems or process failures.

“The overall picture painted by the study is that even after a year, many businesses – including some major global brands – still do not have efficient systems in place to manage GDPR information requests from their customers,” said Lynda Kershaw of Macro 4, a software division of UNICOM® Global, which conducted the study. “In many cases the customer service agents we spoke to did not immediately understand what they were being asked for, or how to respond. Nearly half of the businesses came back to the customer with multiple follow-up queries for more information or clarification before they could process the information request – and three organizations came back more than three times.”

Macro 4, which provides IT solutions to support GDPR compliance, evaluated how 37 businesses that operate in the UK responded to data subject access requests (DSARs) made during April 2019. The sample consisted of financial services companies (17), utilities and telecommunications providers (7) and smaller numbers from a variety of other sectors (including well known ecommerce businesses, loyalty card providers, hotels and leisure services companies).

Nearly a third of businesses are non-compliant

Of the 12 organizations that were not fully compliant in responding to the data subject access requests, five took longer than the permitted one calendar month to send the personal information. One said they would respond within 40 days – so giving themselves more time than is stipulated by the GDPR.

Two businesses included personal information about another individual (in one case the email address, national insurance number and mobile phone number of the customer’s partner), so breaching that person’s right to privacy. Three came back with very scant, incomplete information in response to the request; one supplied information in an electronic format that is not commonly used (a JSON file) and which was incomprehensible once the customer finally managed to open it; and another provided rows and rows of text which were impossible to make sense of¹.

Customer facing staff still in the dark

In fewer than half (14) of the cases did the customer service agent know exactly how to respond when a customer asked to make ‘a data subject access request to find out what personal data you’re holding about me’. For 22 of the contacts that were made, the agent was unsure how to deal with a data subject access request and needed to check with a colleague or look it up on their system. One agent appeared knowledgeable at the time but the request was subsequently lost from the system.

A related issue was a lack of knowledge about how long a request would take to process. A number of frontline staff were overly optimistic about this. Several quoted a few days to a couple of weeks, whereas follow-up correspondence invariably stated a longer turnaround time (or it just did take longer than promised).

Repeated call-backs and follow-ups required

Around half (18) of the businesses in the sample did not initially capture all the information needed from the customer in order to process the request in one go. They made contact with the customer again by phone, email or letter to request additional information or verification not mentioned on the first call. Eight businesses had to make one such follow-up, six made two, and one made three follow-ups. Three organizations had to follow up more than three times.

Businesses trying to limit the scope of the information request

Around 40 per cent of the businesses (15) asked customers to specify exactly what personal information was required (rather than sending all personal information they hold about the individual). Some organizations asked for this type of clarification multiple times.

“It really felt like some organizations were trying to make the request easier to handle by reducing the amount of data they would need to collate,” said Kershaw. “But if you don’t know what personal information a company is holding on you, how can you be specific about what they should send you? One notable area where customers were expected to jump through hoops was voice recordings – sometimes they were asked to provide precise dates and times of calls, or who they spoke to, for example. In most cases that just isn’t practical.”

Information supplied in a range of formats

Fewer than half (15) of the businesses in the sample said they could make the personal information available electronically, despite the GDPR advising that ‘where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data’.

The information that was supplied electronically was delivered in a range of formats and included screenshots of CRM and transactional systems, PDFs, Microsoft Word documents and Excel spreadsheets. Call recordings were supplied as WAV files, and sometimes on CDs. Often the information was password protected and sent via a temporary link.

The information supplied, both on paper and electronically, was variable in quantity and quality. In some cases an explanation of the purposes of the data processing was included, together with the meanings of abbreviations and system codes, but in other cases the information was in a raw format that was unintelligible to the customer.

¹The Information Commissioner’s Office Guidelines state that information responding to data subject access requests should be provided in a ‘commonly used electronic format’ and ‘in a concise, transparent, intelligible and easily accessible form, using clear and plain language’.

About the study

Macro 4 evaluated how 37 businesses that operate in the UK performed when responding to data subject access requests (DSARs) made during April 2019. The businesses were contacted by telephone (or, if required by the organization, by chat or by completing an online form). The sample of businesses consisted primarily of large, nationally recognizable brands. They included financial services companies (17), utilities and telecommunications providers (7) and smaller numbers from a variety of other sectors (including well known ecommerce businesses, loyalty card providers, hotels and leisure companies).

About Macro 4

Macro 4, a division of UNICOM Global, develops software solutions that accelerate business transformation. Macro 4’s cross-platform enterprise information management solutions make it easy for companies to go digital, personalize customer communications and unlock the value of their corporate content. Macro 4 solutions for DevOps, session management and performance optimization are used by many of the world’s largest enterprises to modernize their mainframe applications and development processes.

About UNICOM® Global

UNICOM Global consists of more than fifty (50) corporate entities encompassing a wide range of businesses across all geographic regions. With its corporate headquarters in Los Angeles, California, to offices in Illinois, Kentucky, Florida, Massachusetts, Maryland, Minnesota, New Hampshire, North Carolina, New Jersey, Texas and Virginia, throughout EMEA in the UK, Ireland, Germany, France, Italy, Spain, Denmark, Belgium, Switzerland and the UAE, and across Asia/Pacific with locations in Japan, China, India, Australia, Korea, Thailand, Taiwan and the Philippines.

UNICOM Global offers deep in-house resources and flexible IT solutions to our partners worldwide. UNICOM Global focuses on acquiring and integrating mature and growing mid-cap NASDAQ, London Stock Exchange AIM and German publicly-traded companies in technology, financing, IT, real estate, and business services. Please visit our websites for additional information about the services, products and solutions that UNICOM Global offers:

UNICOM Global - Assets, capital and investment management

UNICOM Systems - IBM Mainframe software products

UNICOM Government (formerly NASDAQ: GTSI) - Government IT solutions

UNICOM Engineering (formerly NASDAQ: NEI) Appliance platform

UNICOM Science and Technology Parks

UNICOM Technology Park – Innovation Labs in Virginia

UNICOM Science and Technology Park – Innovation Labs in New Jersey

UNICOM Capital - Business and Financial Services

USRobotics - Data communications products

Memeo - Enterprise-grade Secure File Sharing for the Cloud

Firetide - Wireless technology solutions for security and transportation

DETEC - Document composition products

SoftLanding Systems - IBM i software products

Macro 4 (formerly LONDON: MAO) - Document Management products

illustro - z/OS and z/VSE software products

iET Solutions - ITSM software products

Eden - Mergers & Acquisitions, Business & Financial Services, and Real Estate - Hardware, Software, Outsourcing and Professional Services

All trademarks referenced herein are trademarks of their respective companies.