A year after the GDPR came into effect, a new study suggests many UK businesses are struggling to process requests from customers who are exercising their right to access the personal information stored about them. Of 37 businesses evaluated, primarily large financial services organizations, utilities and telcos, around a third (12) were found to be non-compliant, with five overshooting the time limit of one month that is specified by the regulation.

Among the other reasons for non-compliance were businesses including personal information about someone else within the data that was supplied; providing information in an electronic format that was difficult to access and incomprehensible when opened; and failing to complete the request at all, due to systems or process failures.

“The overall picture painted by the study is that even after a year, many businesses – including some major global brands – still do not have efficient systems in place to manage GDPR information requests from their customers,” said Lynda Kershaw of Macro 4, a software division of UNICOM Global, which conducted the study. “In many cases the customer service agents we spoke to did not immediately understand what they were being asked for, or how to respond. Nearly half of the businesses came back to the customer with multiple follow-up queries for more information or clarification before they could process the information request – and three organizations came back more than three times.”

Macro 4, which provides IT solutions to support GDPR compliance, evaluated how 37 businesses that operate in the UK responded to data subject access requests (DSARs) made during April 2019. The sample consisted of financial services companies (17), utilities and telecommunications providers (7) and smaller numbers from a variety of other sectors (including well known ecommerce businesses, loyalty card providers, hotels and leisure services companies).

The study looks at 37 businesses that operate in the UK performed when responding to data subject access requests (DSARs) made during April 2019. The businesses were contacted by telephone (or, if required by the organization, by chat or by completing an online form). The sample of businesses consisted primarily of large, nationally recognizable brands. They included financial services companies (17), utilities and telecommunications providers (7) and smaller numbers from a variety of other sectors (including well known ecommerce businesses, loyalty card providers, hotels and leisure companies).

Nearly a third of businesses are non-compliant

Of the 12 organizations that were not fully compliant in responding to the data subject access requests, five took longer than the permitted one calendar month to send the personal information. One said they would respond within 40 days – so giving themselves more time than is stipulated by the GDPR.

Two businesses included personal information about another individual (in one case the   email address, national insurance number and mobile phone number of the customer’s partner), so breaching that person’s right to privacy. Three came back with very scant, incomplete information in response to the request; one supplied information in an electronic format that is not commonly used (a JSON file) and which was incomprehensible once the customer finally managed to open it; and another provided rows and rows of text which were impossible to make sense of.

Customer facing staff still in the dark

In fewer than half (14) of the cases did the customer service agent know exactly how to respond when a customer asked to make ‘a data subject access request to find out what personal data you’re holding about me’. For 22 of the contacts that were made, the agent was unsure how to deal with a data subject access request and needed to check with a colleague or look it up on their system. One agent appeared knowledgeable at the time but the request was subsequently lost from the system.

A related issue was a lack of knowledge about how long a request would take to process. A number of frontline staff were overly optimistic about this. Several quoted a few days to a couple of weeks, whereas follow-up correspondence invariably stated a longer turnaround time (or it just did take longer than promised).

Repeated call-backs and follow-ups required

Around half (18) of the businesses in the sample did not initially capture all the information needed from the customer in order to process the request in one go. They made contact with the customer again by phone, email or letter to request additional information or verification not mentioned on the first call. Eight businesses had to make one such follow-up, six made two, and one made three follow-ups. Three organizations had to follow up more than three times.

Businesses trying to limit the scope of the information request

Around 40 per cent of the businesses (15) asked customers to specify exactly what personal information was required (rather than sending all personal information they hold about the individual). Some organizations asked for this type of clarification multiple times.

“It really felt like some organizations were trying to make the request easier to handle by reducing the amount of data they would need to collate,” said Kershaw. “But if you don’t know what personal information a company is holding on you, how can you be specific about what they should send you? One notable area where customers were expected to jump through hoops was voice recordings – sometimes they were asked to provide precise dates and times of calls, or who they spoke to, for example. In most cases that just isn’t practical.”

Information supplied in a range of formats

Fewer than half (15) of the businesses in the sample said they could make the personal information available electronically, despite the GDPR advising that ‘where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data’.

The information that was supplied electronically was delivered in a range of formats and included screenshots of CRM and transactional systems, PDFs, Microsoft Word documents and Excel spreadsheets. Call recordings were supplied as WAV files, and sometimes on CDs. Often the information was password protected and sent via a temporary link.

The information supplied, both on paper and electronically, was variable in quantity and quality. In some cases an explanation of the purposes of the data processing was included, together with the meanings of abbreviations and system codes, but in other cases the information was in a raw format that was unintelligible to the customer.

Hernaldo Turrillo

Hernaldo Turrillo is a writer and author specialised in innovation, AI, DLT, SMEs, trading, investing and new trends in technology and business. He has been working for ztudium group since 2017. He is the editor of openbusinesscouncil.org, tradersdna.com, hedgethink.com, and writes regularly for intelligenthq.com, socialmediacouncil.eu. Hernaldo was born in Spain and finally settled in London, United Kingdom, after a few years of personal growth. Hernaldo finished his Journalism bachelor degree in the University of Seville, Spain, and began working as reporter in the newspaper, Europa Sur, writing about Politics and Society. He also worked as community manager and marketing advisor in Los Barrios, Spain. Innovation, technology, politics and economy are his main interests, with special focus on new trends and ethical projects. He enjoys finding himself getting lost in words, explaining what he understands from the world and helping others. Besides a journalist, he is also a thinker and proactive in digital transformation strategies. Knowledge and ideas have no limits.

The post GDPR Compliance: Businesses Struggle With Requests For Personal Information appeared first on OpenBusinessCouncil Directory.

A notice of intent to fine was recently issued by the ICO to fine both Leave.EU, the pro-Brexit campaign group, and Eldon Insurance (trading as GoSkippy) for serious breaches over the way they have handled customers’ and subscribers’ data. In light of the ongoing public interest in data management and analytics used for political purposes, it is worth taking a closer look and identifying where the compliance failures occurred. This is of particular significance for firms because of the nature of the breach and the set of regulations which govern them, which are often overlooked by firms and businesses when interacting with their customers.

The reasons for the ICO issuing the notice of intent to fine are that firstly; over one million emails were sent to Leave.EU subscribers containing marketing for GoSkippy without the subscribers’ consent, and secondly, for the sending of a Leave.EU newsletter to 319,000 GoSkippy subscribers. The ICO intends to fine both Leave.EU and Eldon Insurance (trading as GoSkippy) £60,000 for serious breaches of the Privacy and Electronic Communications Regulations 2003 (PECR), and a further £15,000 for Leave.EU for sending an Leave.EU newsletter to GoSkippy customers.

---

“Whilst the ICO did not believe that Leave.EU and Eldon Insurance deliberately contravened Regulation 22 of PECR, the ICO was satisfied that the breaches were serious”

---

As a result of the actions taken in breach of PECR, the ICO’s has also issued a preliminary enforcement notice under the Data Protection Act 1998 to Eldon Insurance, which will require them to take specified steps in order to ensure compliance with Regulation 22 of PECR. An audit of Eldon Insurance will then follow to ensure that the required steps are being taken.  If further wrongdoing is discovered during the audit, further fines may well be imposed by the ICO.

It is important to stress that the ICO has not issued a monetary penalty notice, but a letter of intent. It is after the conclusion of the audit that the ICO will make a final decision on whether to serve a monetary penalty notice, which should be made on or after 5 December 2018. As such, the ICO is at present ‘poised to fine’ Leave.EU and Eldon Insurance.

The violation

Regulation 22 of PECR governs the transmission of electronic communications to individual subscribers. Under the Regulation, a person is unable to send unsolicited direct marketing emails unless the recipient has previously notified the sender that he/she consents to receiving such communications. There are very limited circumstances whereby prior consent of the subscriber is not required – these are known as “soft opt-in” exceptions, which did not apply in this case.

Whilst the ICO did not believe that Leave.EU and Eldon Insurance deliberately contravened Regulation 22 of PECR, the ICO was satisfied that the breaches were serious and both Leave.EU and Eldon Insurance should have reasonably known that there was a risk of contravention of Regulation 22 of PECR.

---

The notices of intent to fine issued by the ICO highlight the need for firms to ensure that they are not only complying with data protection legislation but are also well aware of and compliant with their obligations under PECR

---

In its report, the ICO states that the fines are intended to “promote compliance with PECR,” given that unsolicited marketing emails “is a matter of significant public concern,” particularly in the aftermath of the Cambridge Analytica scandal. The intention of the ICO for the proposed fines is therefore to act “as a general encouragement towards compliance with the law, or at least as a deterrent against non-compliance.”

It is also worth noting that in determining the amount of the potential fines the ICO intends to impose on Leave.EU and Eldon Insurance, the ICO took into account the fact that they have received no complaints about the contraventions.

Understanding the importance of PECR

The notices of intent to fine issued by the ICO highlight the need for firms to ensure that they are not only complying with data protection legislation but are also well aware of and compliant with their obligations under PECR.

The privacy rights under PECR enhance and sit alongside data protection legislation. It is not enough for firms, when using electronic communications, particularly electronic marketing communications, to only ensure compliance with the Data Protection Act and GDPR. PECR is of paramount importance when it comes to electronic marketing communications.

Firms must take steps to ensure compliance with PECR as well as data protection legislation when carrying out direct marketing by electronic means. Reasonable steps must be taken by firms to prevent contraventions of PECR when conducting electronic direct marketing. The breaches of PECR by Leave.EU and Eldon Insurance highlight the cost of non-compliance even when it is not done deliberately and with the absence of any complaints from customers about contraventions. Businesses can very easily get blindsided by PECR breaches. Having robust processes for compliance with PECR alongside GDPR and Data Protection is essential for ensuring customer trust and protecting a company’s hard-earned reputation.

Articel written by Alexander Edwards, a Senior Associate at Rosling King LLP. He acts for a variety of clients in connection with a range of finance, commercial, regulatory and corporate matters.

Hernaldo Turrillo

Hernaldo Turrillo is a writer and author specialised in innovation, AI, DLT, SMEs, trading, investing and new trends in technology and business. He has been working for ztudium group since 2017. He is the editor of openbusinesscouncil.org, tradersdna.com, hedgethink.com, and writes regularly for intelligenthq.com, socialmediacouncil.eu. Hernaldo was born in Spain and finally settled in London, United Kingdom, after a few years of personal growth. Hernaldo finished his Journalism bachelor degree in the University of Seville, Spain, and began working as reporter in the newspaper, Europa Sur, writing about Politics and Society. He also worked as community manager and marketing advisor in Los Barrios, Spain. Innovation, technology, politics and economy are his main interests, with special focus on new trends and ethical projects. He enjoys finding himself getting lost in words, explaining what he understands from the world and helping others. Besides a journalist, he is also a thinker and proactive in digital transformation strategies. Knowledge and ideas have no limits.

The post Leave.EU Data Breach: Firms Must Comply With Privacy Regulations Once and For All appeared first on OpenBusinessCouncil Directory.

Despite GDPR legislation having come into effect over four months ago, the majority of UK businesses in the professional services sector are now risking penalties by failing to adhere to some of the rules.

According to a survey of 1,002 UK workers in full or part-time employment, carried out by Probrand.co.uk, a large proportion (30%) of businesses in the professional services industry failed to wipe the data from IT equipment they disposed of in the two months following GDPR. The workers surveyed were from a wide range of professional services including law and accountancy firms.

This news is perhaps less surprising given the research also found that 81% of all UK professional services businesses do not have an official process or protocol for disposing of obsolete IT equipment.

What’s more, 48% of professional services workers admit they wouldn’t even know who to approach within their company in order to correctly dispose of old or unusable equipment.

The top 5 industries most guilty of not clearing the memory of IT equipment before disposal in the months following GDPR were transportation (72%), sales and marketing (62%), manufacturing (59%), utilities (58%) and retail (57%).

Matt Royle, marketing director at Probrand.co.uk commented: “Given the amount of publicity around GDPR it is arguably impossible to be unaware or misunderstand the basics of what is required for compliance. So, it is startling to discover just how many businesses are failing to both implement and follow some of the simplest data protection practices.”

“This is especially startling to see from businesses within the professional services sector, where sensitive customer information is handled all the time.”

“The fines involved in a GDPR breach can potentially run into the millions – and what appear to be less tangible impactors, like reputational damage, customer trust and loyalty, will ultimately become financially significant.”

“Given these findings, it is clear that more needs to be done to ensure that all businesses have a disposal procedure in place to avoid inadvertently leaking sensitive.data.”

The top 10 industries which are most guilty of not clearing the memory of IT equipment before it is disposed of:

1. Transportation – 72%
2. Sales and marketing – 62%
3. Manufacturing – 59%
4. Utilities – 58%
5. Retail – 57%
6. Education – 54%
7. Leisure and travel – 49%
8. Healthcare and hospitality – 45%
9. Trades / administration – 44%
10. Information and communication – 39%

Hernaldo Turrillo

Hernaldo Turrillo is a writer and author specialised in innovation, AI, DLT, SMEs, trading, investing and new trends in technology and business. He has been working for ztudium group since 2017. He is the editor of openbusinesscouncil.org, tradersdna.com, hedgethink.com, and writes regularly for intelligenthq.com, socialmediacouncil.eu. Hernaldo was born in Spain and finally settled in London, United Kingdom, after a few years of personal growth. Hernaldo finished his Journalism bachelor degree in the University of Seville, Spain, and began working as reporter in the newspaper, Europa Sur, writing about Politics and Society. He also worked as community manager and marketing advisor in Los Barrios, Spain. Innovation, technology, politics and economy are his main interests, with special focus on new trends and ethical projects. He enjoys finding himself getting lost in words, explaining what he understands from the world and helping others. Besides a journalist, he is also a thinker and proactive in digital transformation strategies. Knowledge and ideas have no limits.

The post GDPR Compliance: Companies In The Services Industry Risk Penalties By Not Wiping The Memory From IT Equipment appeared first on OpenBusinessCouncil Directory.