Just about two months after the European Union implemented the General Data Protection Regulation in May 2018, companies are being inundated with GDPR requests about the use of personal information. Despite the legal requirement to provide a solution within a month after the request has been sent, many businesses are not able to provide an adequate response on time.
The General Data Protection Regulation, also abbreviated as the GDPR, came into force across all members of the European Union to enforce new requirements about the way companies collect, store, and use personal information. It went through 4 years of evaluation and preparation before getting approved by the Parliament, and it was designed to replace the Data Protection Directive adopted in 1995, which was outdated and unable to regulate the privacy of citizens across new technologies.
Companies, which face the risk of serious fines for non-compliance (up to 4% of the global turnover or €20m, whichever is greater), have started reporting a sharp increase in GDPR requests from customers regarding the user of their personal information.
Companies are delaying response to GDPR requests
Under the GDPR, which promotes transparency and protection of personal data, EU citizens have the right to know how companies are using their information, and for what purposes. However, while many businesses are directly retiring from the European market to avoid the high costs for compliance, others are still struggling with meeting all the imposed requirements.
Companies like Netflix, Yoox Net-a-Porter and Marriott still haven’t responded to GDPR requests solicited in the end of May, despite the regulation requirement to do so within a month. In fact, Marriott asked for extensions for the one-month deadline due to its inability to handle the large volume of requests that they are receiving.
Facebook has not escaped the storm either, confirming a three or fourfold increase in user request information after the implementation of the GDPR two months ago.
GDPR requests are skyrocketing
Commissions across the whole Europe are reporting a high number of complaints and breach notifications. The UK Information Commissioner’s Office confirmed more than 1,100 data protection complaints in less than a month after the GDPR entered into force. The number of reports is significantly higher than 2017, when only 230 monthly complaints were reported on average before the new regulations became effective.
According to the International Association of Privacy Professionals, Ireland’s Data Protection Commission registered over 547 breach notifications and almost 390 complaints during the first month of the GDPR introduction. France and the Czech Republic aren’t falling behind either, having registered over 400 data requests each.
Companies in the technological sector, media groups, retailers and financial institutions such as banks are among the ones receiving the highest number of GDPR requests, mainly due to the huge volumes of data that they hold on users. Businesses in the financial sector, which are obligated to collect detailed customer data for tax and accounting reasons, anti-money laundering, and others, are finding it hard and burdensome to comply with all requirements.
The most frequent GDPR issues are related to the processing of personal data without a legal basis, unfair processing, and customer requests for transparency on all information that companies are holding on them.
Requirement for Data traceability
According to Article 30 of the General Data Protection Regulation, Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. It means that companies will have to show how and when data was processed, and be able to prove it.
Typically, these records of processing come in the form of an application or a security log that displays all actions taken against a piece of information, from its creation to its erasure. To provide full data traceability as required by the new regulations, companies are either developing their own tools, or are relying on third-party applications such as Recordia, a cloud-based call recording platform that comes with full audit and logging features to provide transparency on when, how, and by whom the data was accessed, and what was done to it.