More than half of companies in a recent survey failed to meet requests from individuals seeking access to their personal data within the time limit set out by the EU’s General Data Protection Regulation (GDPR) rules.
This was a finding of California cloud data integration company Talend’s recent survey, which repeated its September 2018 assessment of companies’ ability to provide the information within the GDPR one-month time limit.
- The recent study looked mainly at EU-based companies, but also those conducting business in the EU. It found that while companies overall had improved their performance in this area — from 70% failing to respond within a month in 2018 to 58% in 2019 — compliance remains a problem, with some sectors faring better than others: Just 29% of public-sector organisations and 32% of media and telecoms companies provided the personal data requested to individuals within the month.
- Less than half (46%) of retail companies hit the one-month deadline.
- Companies in the travel, transport, and hospitality segment performed well in making up 38% of all organisations that provided data in less than 16 days.
GDPR was implemented in May 2018 and set out seven key principles to govern an organisation’s approach to dealing with personal data. It also introduced maximum fines for noncompliance of €20 million ($22.25 million) or 4% of the organisation’s global annual turnover, whichever is greater.
The GDPR rules are a part of a global trend in protecting personal and consumer data: In the US, the California Consumer Privacy Act came into effect on 1 January; in Thailand, the Personal Data Protection Act takes effect in May 2020; and in Brazil, the General Protection Data Law takes effect in August 2020.
Jean-Michel Franco, Talend’s senior director of data governance products, warned of the risk of fines as well as reputational damage for companies as a result of noncompliance with GDPR — especially through class action lawsuits involving groups of individuals.
Jaroslaw Chrupek, FCMA, CGMA, head of enterprise data management at British American Tobacco’s Global Business Services, suggested that the “GDPR hype” had faded and there had been only a limited number of cases of high-profile companies being fined for failing to comply with the new rules.
However, Chrupek said, for small and midsize businesses, GDPR remains an important challenge.
He told FM: “Companies with high revenues [or] turnover took the matter seriously as financial and reputational risks were identified as high and so [the] entire corporate machine was put in motion to mitigate this situation.”
A common mistake made by business managers, he suggested, is to assume data protection falls to the IT department. Most of the issues that prevent compliance with GDPR rules “stem from lack of good and transparent procedures and processes to handle requests for information”.
There are wider risks. In addition, Chrupek said, business managers often do not recognise the importance of data in their organisation and fail to map data-related risks within risk registers.
Chrupek also suggested that legal counsels are not taking responsibility and accountability for this area. If they did, he said, “they would lift the importance of the subject [to] the management boards and, even more importantly, to audit committees”. He added: “[There is] insufficient knowledge in supervisory bodies such as corporate audit committees or supervisory boards [about] how GDPR can potentially impact operations.”
Sarah Ghosh, FCMA, CGMA, is finance director and the designated data protection officer at SweetTree Home Care Services (see the FM article “Lessons From a Finance System Implementation”) in the UK, a 500-employee business that provides care services for people in their homes. The healthcare sector is complex, with general practitioners, hospitals, and care providers all holding sensitive personal data, she explained. However, the biggest challenge for all companies with personal data is to understand where data is held, who “owns” the data within the business, and how the data is being used.
“That is not at the press of a button,” Ghosh said. “[It] requires dedicated time across all of the organisation to pull off exactly where those pieces of information about an individual are being used and held.”
The Talend survey found that the lack of automation for processing data subject right requests was a major problem. It also highlighted a lack of proper identification checks of the individuals requesting data — only 20% of organisations surveyed did so. Of the companies that did carry out an ID check, only a small number used a secure way of sharing ID documents.
“People are becoming more aware of the value of their data and the impact it can have on their privacy and security,” Ghosh said. This means that data requests from individuals are likely to increase, she suggested.
At the same time, data analytics tools are opening data up to more people with an organisation, she said. “That data proliferates further than being in control of finance, HR, IT remit. … That means … there is more scope for human error in terms of data being shared where it shouldn’t be shared.”
Cybersecurity breaches continue to be a threat, and failure to schedule system upgrades in a timely fashion can increase the risk companies face, Ghosh said.
She added: “Finance is obviously targeted quite heavily because there potentially are weaknesses in the links in terms of processes.” Fraudsters, Ghosh said, can use phishing to target junior members of the team who might not be fully aware of the implications of what they are being asked to do.
Ghosh recommended these steps to mitigate data risks for businesses:
- Minimise — and audit — the personal data you hold. This means countering the natural tendency to collect as much data as you can.
- Adhere to a strict internal data protection policy that stipulates how long the data is held.
- Put in place a data management framework and be very clear about how you store and protect data, and make sure that only those who need to can access the data.
- Consider and be clear about the way data is sent, eg, use encryption software.
- Validate requests for data. For example, for SweetTree Home Care Services, requests must be in writing and require authorisation from the person on whose behalf the request for information is being made. Information is not given over the phone.
- Ensure staff are fully trained and aware of what it means to be custodians of data and the things they need to be accountable for to keep data secure. Training should be continual rather than limited to one-off sessions, so that everyone in the organisation is always considering the consequences of their actions when it comes to data.
- The need to protect data should be ingrained in the organisation’s culture.
— Oliver Rowe (Oliver.Rowe@aicpa-cima.com) is an FM magazine senior editor.