Survey finds most firms don’t respond to GDPR requests in time

More than 18 months after the General Data Protection Regulation (GDPR) came into force, compliance with requests from individuals is patchy. In a survey commissioned by cloud data management specialist Talend, only 42% of companies produced an accurate copy of requested personal data within the one-month limit specified by the regulation.

Meanwhile, just over 20% of the companies surveyed returned incorrect or incomplete data, while 38% didn’t reply or were not contactable.

However, that is an improvement on September 2018, when 70% of companies surveyed failed to provide data within one month.

This year’s survey was from a sample of 103 companies, mostly in the European Union (EU) (84%) but also in Asia Pacific (APAC) and the US (8% each), whicho should comply with the GDPR because they conduct business in Europe.

The survey found out whether companies had dedicated ways for consumers to request personal information the company held on them, but also carried out requests for GDPR data and assessed how quickly the companies complied. It also determined whether that data could be directly accessed and re-used by the individual, to see whether it meets data portability requirements.

Successful responses were gained from European organisations in just under 38% of cases, with incorrect data returned in 16.5% of cases. A quarter (25%) of companies from which GDPR data was requested in Europe did not reply, and 5% were uncontactable.

The APAC-based companies surveyed failed to successfully return data at all, while just under 4% did so in the US.

The most responsive sector surveyed was education, which had a 100% response rate – but only 50% of those responses produced accurate data.

Financial services companies responded successfully in 47% of cases, but produced incorrect data on 26% of occasions and did not reply in 21% of cases.

Retail organisations successfully responded to 46% of requests, but supplied wrong data on 21% of occasions. Retailers failed to reply to just under one-third (29%) of requests.

Transport, travel and hospitality companies came next, with correct and timely responses in 45% of cases, and incorrect data supplied in 10% of cases. Some 40% of requests resulted in no reply.

The public sector was the least responsive, with no reply recorded in 43% of cases, while correct data was successfully returned 29% of the time. In 29% of cases, public sector bodies were uncontactable.

Media companies, telcos and utilities were nearly as bad, providing accurate data on only 32% of occasions. In 26% of cases, incorrect data was supplied and in 37%, there was no reply at all.

Jean-Michel Franco, senior director of data governance products at Talend, said: “These new results show clearly that data subject access rights is still the Achilles’ heel of most organisations.

“To fully comply with GDPR, it is necessary to understand where the data is, how it is processed and by whom, as well as ensure that the data is trusted. Organisations must do more to regain the trust of their data subjects and be aware that they risk very significant fines and significant reputational damage in the event of non-compliance.”

According to Talend, a significant cause of poor responses to such regulations is a lack of automation in processing requests.