GDPR compliance remains low – especially in public sector and media organisations

Cloud data integration player Talend’s research finds only 29% of the public sector organisations it surveyed could provide the GDPR data requested within the mandated one month time limit

Posted 4 December 2019 by Gary Flood

Well over half (58%) of businesses couldn’t satisfy requests made from individuals seeking to obtain a copy of their personal data as required by GDPR (General Data Protection Regulation) within the one-month time limit set out in the regulation.  

The survey was carried out by cloud data integration and data integrity Talend, which positions itself as enabling companies to transform by delivering trusted data “at the speed of business”, which also claims only 29% of the public sector organisations it talked to could pass this key test in GDPR compliance.

Almost as bad: only 32% of media and telecomms companies polled reported that they could provide the correct data on time, compared to 46% of retailers.

“To fully comply with GDPR it is necessary to understand where the data is, how it is processed and by whom, as well as ensure that the data is trusted”

In terms of methodology, Talend talked to 103 GDPR-relevant companies across the world, primarily in Europe (84%) but it also talked to APAC-based companies that conduct business in Europe) from a range of industries (retail, media, technology, utilities & telecommunications, public sector, finance, and travel, transportation & hospitality).

The research also highlights the lack of an ID check during the data request process of the individual requesting data. Overall, only 20% of the organisations surveyed asked for proof of identification.

Moreover, of the companies surveyed that reported asking for proof of identification, very few use an online and secure way of sharing ID documents. Instead, most of the time, copies of identification were provided by email.

The requesting process also remains cumbersome with reported difficulties including finding the right email address to send the request, says Talend, and follow up emails because the data is incomplete or “because the files can’t be opened”. 

The research follows on from a similar exercise conduced by the company in late 2018, its so-say GDPR research benchmark, which was aimed to assess the ability of organisations to achieve right to access and portability compliance with the European regulation.

At that time, 70% of the companies surveyed reported they had failed to provide an individual’s data within one month. The tech firm says it went back to talk to new companies as well as those that reported a failure to comply in the first probe, in order to map improvement, and although the overall percentage of companies who reported compliance increased, to 42%, the rate remains low 18 months after the regulation came into force.

“These new results show clearly that Data Subject Access Rights is still the Achilles’ heel of most organisations,” said Jean-Michel Franco, Senior Director of Data Governance Products at the vendor.

“To fully comply with GDPR it is necessary to understand where the data is, how it is processed and by whom, as well as ensure that the data is trusted.

“With several data protection regulations coming into force in the US (California Consumer Privacy Act in January 2020), across APAC (PDPA in Thailand in May 2020), and in Latin America (LGPD in Brazil in August 2020), organisations need to start a data governance transformation to deliver a 360 degree view of customers and empower the people in charge of data protection with more automated data processing and delivery.

“Organisations must do more to regain the trust of their data subjects and be aware that they risk very significant fines and significant reputational damage in the event of non-compliance and especially through class actions – both of which could prove to be severely detrimental to a business.”