GDPR Compliance Rate Remains Lowest in Public Sector

GDPR Compliance Rate Remains Lowest in Public Sector

December 9, 2019

Talend Senior Director of Product Marketing Jean-Michel Franco says when it comes to meeting GDPR compliance, Data Subject Access Rights continues to be the Achilles’ heel of organisations, with over half of companies surveyed not able to meet requests within GDPR limits.

58% of surveyed businesses worldwide failed to address requests made from individuals seeking to obtain a copy of their personal data as required by GDPR within the one-month time limit set out in the regulation, according to the latest research by Talend.

In September 2018, Talend released the results of its first GDPR research benchmark, which was aimed to assess the ability of organisations to achieve right to access and portability compliance with the European regulation. At that time, 70% of the companies surveyed reported they had failed to provide an individual’s data within one month. One year later, Talend surveyed a new population of companies, as well as the companies which reported a failure to comply in the first benchmark, in order to map improvement. Although the overall percentage of companies who reported compliance increased to 42%, the rate remains low 18 months after the regulation came into force.

According to Talend Senior Director of Product Marketing Jean-Michel Franco, these new results show that Data Subject Access Rights is still the Achilles’ heel of most organisations.

“To fully comply with GDPR it is necessary to understand where the data is, how it is processed and by whom, as well as ensure that the data is trusted. With several data protection regulations coming into force in the US (California Consumer Privacy Act in January 2020), across APAC (PDPA in Thailand in May 2020), and in Latin America (LGPD in Brazil in August 2020), organizations need to start a data governance transformation to deliver a 360 degree view of customers and empower the people in charge of data protection with more automated data processing and delivery. Organisations must do more to regain the trust of their data subjects and be aware that they risk very significant fines and significant reputational damage in the event of non-compliance and especially through class actions – both of which could prove to be severely detrimental to a business,” says Franco.

Key research takeaways 

The research revealed that only 29% of the public sector organisations surveyed could provide the data within the one-month limit. With an increasing use of data and new technologies – facial recognition, artificial intelligence – by the public sector to improve the citizen experience, the need for more integrated data governance is a must-have for 2020 and beyond.

The same observation applies to companies in the media and telecommunications industries; only 32% of these organisations reported that they could provide the correct data on time.

Compared to last year, retail companies improved their success rate with 46% of such companies reporting they provided correct responses within the one-month limit. A greater proportion of companies in this industry started to take a customer-centric approach to both improve the experience and internal processes.

The same situation occurs with organizations in finance as well as in travel, transport, and hospitality industries. In addition, the latter are considered as the best performers as companies in that industry represent 38% of all the organizations who provided data in less than 16 days.

Another take-away from this new benchmark is the lack of automation in processing requests. One of the main reasons companies failed to comply was the lack of a consolidated view of data and clear internal ownership over pieces of data. In the financial services industry, for example, clients may have multiple contracts with a company that may not be located in one place making it difficult to retrieve all necessary information.

Processing the requests remains very manual and often involves the business users, e.g. the insurance representatives in the case of an insurance company. In addition, processing Subject Right Requests can be very costly; according to a recent Gartner survey 5 Areas Where AI Will Turbocharge Privacy Readiness,, companies spend, on average, more than USD 1,400 to answer a single SRR.

The research also highlights the lack of an ID check during the data request process of the individual requesting data. Overall, only 20% of the organizations surveyed asked for proof of identification.

Moreover, of the companies surveyed that reported asking for proof of identification, very few use an online and secure way of sharing ID documents. Instead, most of the time, copies of identification were provided by email.

The requesting process also remains cumbersome with reported difficulties including finding the right email address to send the request, and follow up emails because the data is incomplete or because the files can’t be opened.

(Ed. Talend claims the research involved 103 GDPR-relevant companies across the globe (EU-based companies [84%], and NORAM-based companies [8%] and APAC-based companies [8%] that conduct business in Europe) across a range of industries. For more information read the Talend Data Trust Readiness Report. Jean-Michel Franco is Senior Director of Product Marketing for Talend. Prior to joining Talend, he worked at HP and SAP. A published author and presenter, Franco regularly presents at events and tradeshows and can be followed on Twitter: @jmichel_franco.)