The General Data Protection Regulation is a set of laws on data protection and privacy for all individuals in the EU. The regulation, which sets a new standard for consumer rights regarding their data, came into effect within the European Union on May 25, 2018.
It’s been four months since the new regulations have gone into effect and according to research commissioned by Talend, the majority of companies are failing to comply with the rules.
“The funny this is, the European companies were lagging behind but the non European companies succeeded by 50%,” said Jean-Michel Franco, Talend director of data governance.
The research is based on personal data requests made to 103 companies based or operating in Europe across industries including retail, media, technology, public sector, finance and travel.
Conducted between June 1 and Sept. 3, 2018, Talend assessed responses to GDPR Article 15 (“Right of access by the data subject”) and Article 20 (“Right to data portability”) requests, monitoring areas including GDPR references in privacy policies, and the speed and completeness of responses.
According to Franco, the research showed:
- Seven percent of companies mistakenly assumed Talend was asking to be forgotten
- Four companies deleted Talend’s account and data without notice
- Some companies asked for a range of personal data (ID, loyalty number, birthday, date of transactions etc.) before beginning request but still didn’t comply
- Virtually every company failed to fulfill Talend’s request for portability
- Four companies asked, “What do you mean by personal data?”
- A leading global firm in the financial sector fulfilled our request by sharing the data they held on us through printed pages that they physically delivered through a secure mail courier
- Only a few delivered a 1-click memorable customer experience, including Spotify (Sweden), N26 (Germany), Garmin (US), and Next (Germany). They offered a clear explanation of their usage of our personal data, direct access to our data via a portal, and data portability.
Companies are failing because the majority doesn’t adequately track personal information, Franco explained.
There is an absence of a data privacy owner and no department is clearly appointed to answer requests. There is a lack of data control and visibility as well, Franco said.
Though the companies may face penalties in the form of fines, moving forward Franco thinks customers will push companies to comply.
“Even if the fines have not compelled companies to comply already, the number of complaints by consumers have raised dramatically in Europe,” Franco said. “Citizens understand that this is important, our survey says they are willing to ask for their rights so I think the pressure will come also from the customer, not only from the regulators.”
There is no broad policy in effect for American companies yet, however, California is one of the first states to pass a similar law, the California Consumer Privacy Act, A.B. 375.
GDPR will force companies to adopt data privacy policies that affect not only European customers but worldwide consumers as well.
“Most companies say: OK we need to raise the bar for data privacy, not because it’s a regulation, but because the customer wants it and they want to foster a trusted relationship,” Franco said. “The media coverage this has had put attention on the CEO and people care more about this topic with or without these regulations.”