People are becoming very aware of the value their data brings to a business and wary of how this asset is shared among businesses. The enormous amount of coverage the GDPR has had will only grow as the regulation comes into force with most European governments investing in significant public awareness campaigns.
This heightened awareness and publicity is creating a pent up demand for Subject Access Requests (SARs) where by a data subject may request a business to share with them all data they control or process about them. A recent survey by PEGA revealed that up to 90% of Italians, for example, plan to submit a SAR come May 25th! In the same survey, Retail business were identified as the most common target for SARs. Another survey by 7Stars revealed 34% of Britons plan to submit a SAR which is about 15,000,000 if the statistics stack up.
One of the biggest concerns people have is how their data is shared with third parties. Everyone has had cold calls from companies they have not done business with - how did they know your name and phone number? Because your data gets sold on and sold on until eventually that guy telling you about PPI claims calls you up and ruins an otherwise good day. Generally speaking nothing illegal is happening - but the new regulations will really change how your data can be used and you must now explicitly opt in (or consent) to receiving marketing information about a very specific product or service.
15 million people in Britain alone are already planning on requesting information about their data being held. That is a big number - and each person could raise multiple SARs. It is not just a data breach that will drive these requests - people are planning to make requests just to know. They want to know who has their data and why. The mind-set that has existed in many companies that they own their customer's data has created a situation where consumers do not trust the companies they use with their data.
Many companies are gearing up for GDPR but because a lot of companies started their process late, they will be lucky to get their legal contracts and some processes in place in time for May 25th. The next focus will be on the day to day operational impact.
How will you respond to a SAR? How will you validate the person calling is indeed the data subject they are requesting data about? Does your team have the tools to access the right data? Is the data all digital or are there physical files also? Are your third parties ready to assist? What level of information do you plan to include? How will it be sent to the customer?
They are just some of the questions your business needs to start asking itself. There is then the cost to your business. The time it takes to gather the data and respond and the opportunity costs that presents. Insuring everyone in the front line team are adequately trained and monitored. How will you scale this process in the event of a surge in requests?
How many SARs have you budgeted for in your team time planning for this year? How many per month/week/day? If you expect no SARs you should really ask yourself why that is. The question should be how many. How many if nothing happens? How many if you or your suppliers have a publicised data breach?
People are being given new rights that they plan to exercise. Are you ready?
We can help in some cases. In some cases we cannot. It doesn't cost anything more than 10 minutes of your time to find out if we can help you - so get in touch!