Following the implementation of GDPR in May 2018 and the scrutiny of organisation's compliance positions gathering steam, the fines are starting to roll in across the EU. Organisations will continually need to maintain and improve their practices to ensure their customer data is stored and processed securely.
Recently we have seen the UK Regulator (ICO) issue intention to fine both British Airways and Marriott for sums of £183m and £99m respectively. Remember that under the DPA 1998 the maximum fine was just £500,000. More recently EasyJet submitted a notification of a significant data breach affecting 9 million individuals, which the ICO will be looking at very closely. Promotion of these fines is being fanned by the advertisement of the opportunity for individuals affected by the breach to gain compensation. Under Article 82 of the EU General Data Protection Regulation (EU-GDPR) individuals have a right to compensation for inconvenience, distress, annoyance and loss of control of your data.
At a boardroom level the rise in awareness and the level of fines will cause uncertainty. Do EasyJet look to invest as passenger numbers increase slowly in an extremely competitive marketplace, or do they create a “war-chest” ready to handle the compensation claims? In reality, they probably will do both, meaning a dividing of resources and focus, which may put them at a competitive disadvantage.
Therefore we have a situation where the awareness of GDPR has risen immeasurably and customers are concerned about their data and their control over it.
This will lead to the need for more transparency, healthy debates on data ethics frameworks, and consumers will seek more reassurance, ask more questions, and submit more Subject Access Requests (SAR). Moving forwards, being seen as trustworthy with customer data will be an important brand message.
The ICO define a SAR as having “the right to ask an organisation whether or not they are using or storing your personal information”. As part of a SAR you can “also ask them for copies of your personal information, verbally or in writing.”
Processing a SAR can be complex and unwieldy, dependent upon the number of systems and databases that store customer data, and the volume of requests that come in. If we think about what is required, then it has the potential to be a laborious process, requiring skilled team members to trawl through many different systems. Efficiency, consistency and accuracy will be key especially as the process is unlikely to be fully automated end-to-end, and a degree of expertise is required to identify exemptions that may apply that impact what data is disclosed.
And this is part of the dilemma. Do you invest in process efficiencies anticipating a volume of requests that may not arise? Or do you do the opposite, only to be faced with more requests than thought resulting in a higher cost per response?
Returning back to EasyJet. As 9m customer records were breached, will 10% of people make a SAR (the form takes only 2 minutes to complete) or maybe 0.01%? It is hard to know, but if we work with both these numbers, if it takes 3 hours to respond to a SAR, then EasyJet are looking at a team of 10 working for 10 weeks (which you would assume can be accommodated), or a team of 300 working for 100 weeks (a resource not so easy to find).
To drive internal processing efficiency it is therefore important that your customer data is accessible and accurate.
Accuracy is important as it will help you match the incoming request to the data you hold. Having inaccurate or out-of-date address data, incomplete data and duplicate data will slow down the process and this equates to substantial time and cost. It is also vital that the data that is disclosed in the SAR is accurate. If it is not, further follow-up-action will be more likely.
Data should be standardised across systems and duplicates removed or flagged. Of course, a single-customer-view helps immensely as the relevant data is all in one place, and if it isn’t, it should contain the relevant unique reference numbers and system-keys that help you pull data from other systems, to create the detailed report that is required.
Therefore it is essential that companies review their customer data. That should be a given anyway under GDPR Article 5 which calls for data minimisation, recency and accuracy, amongst other principles that all seek to ensure a company is processing customer data securely, transparently and correctly.
What I am expecting to see is a heightened consumer sensitivity to their data. Sending a pension statement to an old address, sending the same email twice to the same email address (as the record is duplicated), and contacting someone who is now deceased, will be spotted, be of concern, and therefore more likely to be acted upon.
This consumer action may result in a loss of business, a complaint, compensation payments, bad publicity on social media, a subject access request, or maybe asking the ICO to investigate. None of these actions are favourable.
Businesses are facing more uncertainty now than what has been seen in the last 50 years. Combining this with GDPR fines and the resulting bad publicity, and additional regulatory demand to process subject access requests just adds more pressure on the boardroom. Why wouldn’t you, therefore, want to make sure that your customer data is accurate? The best place to start – a Data Audit, so you know exactly where you stand.
Rob Frost, Proposition & Solutions Manager
To learn more and find out how we can help you and your business take a look at our Data Maintenance service.