CMO

Survey finds GDPR compliance rates remain low

Second survey checks in on how companies are meeting their data protection obligations and finds improvements, but more work to be done

Some 18 months after the General Data Protection Regulation (GDPR) came into effect compliance has improved, but remains low, according to a survey by cloud data integration and data integrity outfit, Talend.

Of the businesses surveyed worldwide, just over half (58 per cent) report not being able to meet their data access and portability requests within the GDPR-specified one-month time limit. The number has improved from the first survey in September 2018, which found 70 per cent of companies surveyed reported they had failed to provide an individual's data within one month.

In this updated survey, one year after it was first conducted, Talend asked a new population of companies, as well as companies that reported a failure to comply in the first benchmark, in order to map improvement. With new regulations on the way around the world, the firm argued companies need a process to overhaul data security provisions. These include data protection regulations coming into force in the US (California Consumer Privacy Act in January 2020), across APAC (PDPA in Thailand in May 2020), and in Latin America (LGPD in Brazil in August 2020).

According to the survey, public sector organisations and companies in media and telecommunications industries are struggling to meet the requests, with just 29 per cent of public sector organisations and only 32 per cent media and telecommunications industries surveyed able to provide the data within the one-month limit. Retail, financial services, travel, transport and hospitality firms are barely reach an average success rate, with 46 per cent of companies reporting they provided correct responses within the one-month limit.

Talend said organisations need to start a data governance transformation to deliver a 360-degree view of customers and empower the people in charge of data protection with more automated data processing and delivery

“To fully comply with GDPR, it is necessary to understand where the data is, how it is processed and by whom, as well as ensure that the data is trusted,” said Talend senior director of data governance products, Jean-Michel Franco.

The research involved 103 GDPR-relevant companies across the globe: EU-based companies, 84 per cent, NORAM-based companies, 8 per cent and APAC-based companies, 8 per cent which conduct business in Europe from a range of industries including retail, media, technology, utilities and telecommunications, public sector, finance, and travel, transportation and hospitality.

It assessed whether companies had updated privacy policies to account for GDPR; researching whether companies had dedicated ways for consumers to request GDPR data; requesting GDPR data and assessing how quickly and thoroughly companies comply; and requesting GDPR data in a way that may be directly accessed and reused by the individual (data portability).

Franco said organisations must do more to regain the trust of their data subjects.

“They risk very significant fines and significant reputational damage in the event of non-compliance and especially through class actions – both of which could prove to be severely detrimental to a business," he said.

Follow CMO on Twitter: @CMOAustralia, take part in the CMO conversation on LinkedIn: CMO ANZ, follow our regular updates via CMO Australia's Linkedin company page, or join us on Facebook: https://www.facebook.com/CMOAustralia.