Posts

GDPR is here and now there’s the CCPA too! Exonar Latest News

GDPR, CCPA, POPI – TMI?
Living with new privacy laws

What We’ve Been Reading And Writing This Month   

GDPR is here and now there’s the CCPA too!
Plus – We’re Hiring & ‘Ain’t got no Privacy’ – 80’s privacy issues!

New Exonar research released July 4th 2018, shows that public sector organisations face increased financial pressure as a result of the recently implemented General Data Protection Regulation (GDPR), to the tune of £30million per year.
The NHS is expected to be hit hardest by the influx in data requests, given that before the introduction it cost the NHS £20.6million per year to retrieve customer data.
Rise appears to reflect more stringent reporting obligations under EU’s new data protection regime. More than 1,100 reports of data breaches involving people’s personal information have been received by the Data Protection Commission in the two months since a new EU legal regime came into force.
How the GDPR will disrupt Google and Facebook
New laws and high profile investigations have helped put data protection and privacy at the centre of the UK public’s consciousness like never before, the Information Commissioner has said.
Exonar simplifies compliance with the California Consumer Privacy Act by getting right to the heart of the matter: Finding, Mapping and Managing your data.
Plantatreeforprivacy: the impact of GDPR when privacy regulations change
In this Privacy Tracker series, we look at laws from across the globe and match them up against the EU General Data Protection Regulation. The aim is to help you determine how much duplication of operational effort you might avoid as you work toward compliance and help you focus your efforts. In …
Get our free GDPR report
The California Consumer Privacy Act of 2018 (aka CaCPA) creates unprecedented obligations for companies that do business in California (the world’s fifth largest economy) or collect the personal information of California’s 40 million residents.
We Are Hiring - Marketing Executive - Exonar
Are you our next Marketing Manager? An exciting startup software business, we’re looking for an ambitious marketer to take responsibility for creating and delivering our marketing strategy. A British software company, we have just raised significant funding to boost our growth strategy through 2018.
Plantatreeforprivacy: the impact of GDPR when privacy regulations change
Music video by Rockwell performing Somebody’s Watching Me. (C) 2004 Motown Records, a Division of UMG Recordings, Inc.

We are committed to respecting your privacy and protecting your personal information. We try hard to make our communications with you interesting and relevant and always with a view to providing insight into our industry challenges and their solutions. If this Newsletter is not relevant you can unsubscribe using the link below. We promise not to spam you!

The Great Data Shake Up – GDPR changes at 100 days and counting

The 5 Key GDPR Changes at 100 days and counting

September 2nd marked 100 days since the General Data Protection Regulation (GDPR) came into force. The new rules marked a much-needed update to the UK’s aging 1998 Data Protection Act.

The update had been a long time coming. So what have we learned so far? Here’s five ways that GDPR has shaken up the way we gather, store and process data.

1. Effective data management starts with discovery

With the amount of data collected and stored by organisations large and small, data discovery has played a major role in achieving GDPR compliance.

What’s more, being able to react to changes in user habits and trends, like permanently deleting social media accounts or customer history and interactions, has added complications to data management that must be addressed.

Advances in technology, like Big Data and Machine Learning, have added a level of simplicity to creating a data inventory. When implemented correctly, these principles can be used as part of an eDiscovery and data mapping process with the ability to rapidly find and categorise data and to do so on an on-going basis – ensuring continual compliance for an organisation rather than just at a single point in time.

The added benefit of a digital discovery process is that unknown data is often identified and located. It’s vital that all data is accounted for to ensure compliance. After all, you don’t know what you don’t know.

2. The price of non-compliance

Failure to comply with the GDPR can lead to heavier punishments than ever before. Fines for malpractice have increased from a maximum of £500,000 up to €20 million, or 4% of annual turnover (whichever is higher).

What’s more, individuals can sue a business for compensation to recover both material damage and non-material damage, like distress.

Article 82 of the GDPR states that any person who suffered material or non-material damage as a result of an infringement of the GDPR has the right to receive compensation from the data controller or processor for the damage suffered.

Therefore, it’s possible that compensation claims could reach huge numbers if a breach occurs on a large scale under the new rules, increasing financial losses as well as consuming vast amounts of time dealing with individual litigation. Just consider the recent British Airways data breach, where BA revealed that 380,000 customer transactions had been compromised. As well as potentially facing an enourmous fine under GDPR, it may be the case that every customer will be eligible for compensation.

3. Dealing with SARs

Subject Access Requests (SARs) are not a new component of the GDPR, they were first introduced under the 1998 DPA. However, GDPR has made several changes to the way that SARs (or a Right of Access as they are known under GDPR) operate which organisations must be aware of.

To begin with, organisations can no longer charge for producing SARs, and they have less time to complete them (one month, instead of 40 days).

Exonar’s own research found that many organisations struggled to meet the deadline for providing answers to FOI requests (FOI requests must be completed within 20 working days), highlighting the difficulty that many will face complying with requests under the new GDPR requirements.

The time taken by public sector organisations to respond to an FOI varied from one day to 159 days. On average it took 24 days, with the NHS averaging 27, emergency services 21, central government 22 and local government 23 days.

In another survey Exonar carried out before GDPR came into force, 57% of individuals said they would want to request their data as there is now no cost. This means organisations need to ensure they are prepared for a significant increase in the number of requests they handle.

They also need to ensure they are giving users the data they are expecting. For example, Spotify users recently noticed that although they have access to data download tools, to get hold of all of the data held – such as telemetry or A/B testing – a SAR needed to be sent to Spotify’s privacy team.

But the latest technology can help. Platforms are available that can map and understand any information held and create an index which can then be searched in seconds, no matter how much data is held. This greatly reduces the time and cost of managing data and compliance, and in fact it can reduce the cost of processing a SAR to zero.

4. Understand your data

Achieving compliance with the principles of GDPR is an ongoing task, but it becomes a simple one with added benefits once you understand the data you hold and how it’s processed. A completed audit shouldn’t mean you then stand still. Data should be continually reviewed to better organise and refine management processes.

Removing risk, especially if it’s data that has no value, is vital. When you understand your data, it makes it much easier to identify and act on duplicate, obsolete or redundant data and therefore minimise storing and processing costs.

The latest tools are able to search your sensitive information and index files in any format, no matter where the data is held, such as mail servers or the cloud. This means locating and understanding information like passwords, credit card details and confidential records is simple.

5. Beyond GDPR

Although it applies mainly to data processing, the effects of GDPR are far reaching and a successful programme of compliance often brings additional benefits, such as improvements in efficiency and productivity, tighter cyber security and increased customer loyalty and trust.

Of course, in a perfect world, data would already be stored securely and processes would be in place to ensure continued compliance.

But the good news for any businesses concerned about GDPR compliance and surviving the next 100 days is that the tools mentioned above are all available today. And not only will they help you become compliant, but they will ensure you remain compliant and in control of your data.

Adrian Barrett, CEO and founder, Exonar

To find out more about the tools that can help you to discover and understand your data, visit exonar.com. For specific help with SARs, see sarlution.com.

Simplifying GDPR – Get the team signed up and on the pitch

In the beginning, there was a team – Read Part 2 of our essential guides to GDPR

Explain GDPR to your organisation, identify your board sponsor, form a posse from legal, compliance, technology and your key personal information owners like HR and customer services. Then get everyone in a room, work out your high-level programme plan and cost it across internal resource, external advice/resource, tech spend, training and ongoing costs. Then you’ll all have a pretty clear view of life under GDPR.

Our free guides will cut through the myths and help you get a grip on GDPR as May 25th approaches – and here is Part 2. Let us help you see GDPR in a different, practical light.

Read Part 2

 

Simplifying GDPR – Your Essential Exonar Four-Part Guide

Understand the game – then score some easy wins and be 2-0 up by half-time

It’s one of those large-scale legislative changes to the way we all work that always seems a long way off and then suddenly heaves into view – GDPR. 

We’ve plenty of thoughts on the subject, thoughts that we believe are worth sharing and will help you in your approach to managing this new regulation.

At Exonar we help you map and understand your personal data: instantly, simply and at scale. Yes, GDPR arrives on May 25th 2018. Yes, the clock is ticking – but no, it’s not the complex and resource-sapping behemoth you could be excused for assuming. It’s an evolution of the UK’s existing Data Protection Act 1998, not a revolution; it clarifies, simplifies and codifies data protection for the digital age. It’s also a terrific opportunity to streamline the way you use personal data – in easier and more effective ways than you might think – while adding significantly to your audience’s trust in your organisation and brand.

Our free fortnightly guides will cut through the myths and help you get a grip on GDPR as May approaches – and here is Part 1. Let us help you see GDPR in a different, practical light.

Read Part 1

 

Exonar joins forces with MyLife Digital – for the good of trees

Newbury based Exonar has joined forces with MyLife Digital to provide an end to end solution to organisations who need to solve their General Data Protection Regulation (GDPR) problems, especially when it comes to Subject Access Requests (SARs).

GDPR has been around for two years, the enforcement date is set as 25th May 2018 – from this date the Information Commissioners Office (ICO) will be holding UK organisations accountable to the principles of this legislation rather than the Data Protection Act. As information about the GDPR has been available since 2015, there will be no further grace period – basically, we are already in it.

So, has your organisation used the last two years to prepare for the changes? Do you know where all the data is? Who has access to it? When was it collected and which Privacy Policy was in place at that point in time? How do you retrieve all the information required if a customer requests to see it? – Possibly not, but you are not alone.

Exonar’s GDPR Dashboard supplements the Consentric Permissions offering as a connected software service for end-to-end management of personal data and compliance. When the two technologies are used together your organisation is much better placed to be proactive when it comes to many GDPR requirements.

The GDPR Dashboard can help with data mapping, SARs, data portability and the right to be forgotten. It shows an overall picture of all the data held by an organisation, which is subject to GDPR, where it is held and its characteristics.
In response to research carried out by Exonar, which found that 57% of Britons will submit a SAR – which would result in over 2.2 million trees being felled for paper for printing – a campaign was started. “Plant a Tree for Privacy” requests that for every SAR submitted to an organisation they plant a tree to compensate for the amount of paper required to fulfil the request by donating to the Woodland Trust.

Adrian Barrett, CEO and Founder of Exonar says “I have been involved in technology implementation and organisational change for over 20 years, and have seen many developments, but GDPR is quite the game changer, as significant as anything since Sarbanes-Oxley. Many organisations don’t really know where to start when it comes to the vast quantity of data they hold on customers, employees, suppliers and prospects. And that’s where we come in. Right at the beginning, or step 2 of the ICO’s 12 steps to be precise, we can help our customers to understand what they need and how we can help deliver a solution. Working with MyLife Digital being able to add Consentric Permissions into the mix presents a great opportunity to systematically solve a number of challenging GDPR problems for our customers.”

Consentric Permissions rebalances trust and control of personal data between the organisation and the member. It demonstrates that an organisation complies with data protection legislation by providing digital management for data consent and all the lawful processing justifications defined by the GDPR and the UK Data Protection Bill.

Permissions integrates across the organisation with existing CRM’s Campaign Management Tools, ESP’s and other systems. It has both a self-service portal for members and a contact centre portal for staff, using organisation branding to ensure a consistent user experience.

Emma Corbett, Business Development Manager for MyLife Digital adds “It’s a very powerful story especially when it comes to the right to be forgotten and SARs. Giving an organisation the ability to find where personal data is stored and reducing the amount of human intervention between the request submissions and conclusion really speeds up the process and provides the customer with a better experience. Added to the ability to manage their own permissions in a company branded self-serve portal or via a contact centre portal, organisations can really align to the principles of the new regulation. They can be accountable, transparent and empower customers when it comes to the use of their personal data. This will help strengthen trust between both parties, increasing loyalty and protecting the organisations brand reputation.”

 

For more information about Consentric Permissions visit: https://consentric.io/solutions/permissions/

www.consentric.io
www.mylifedigital.co.uk
exonar.com
For interview or photograph opportunities contact:
Debbie Betteridge | Email: dbetteridge@mylifedigital.co.uk | Tel: +44 (0) 1225 636 280 (ext. 322)
Mobile: +44 (0)7771 564998

 

Notes to Editors
About MyLife Digital Limited
The MyLife Digital Group operates in the Personal Information Management Services (PIMS) sector, one of the fastest growing and most dynamic sectors in the UK (and global) economy. Existing MyLife Digital Group companies, Wood for Trees and PGIR already have an established, and growing, base of analytics services clients and considerable data science and sector expertise.
MyLife Digital Ltd, Citizen House, Crescent Office Park, Clarks Way, Rush Hill, Bath, BA2 2AF

About Exonar
Exonar enables organisations to better organise their information, removing risk and making it more productive and secure.
To accomplish this, they have assembled a leadership team who understand the regulatory and data challenges organisations face, and as a result, are able to rapidly innovate; adapting to and exceeding client requirements. It is why FTSE 100, Big four consulting firms and household brand names choose to work with the small, fast-growing team at Exonar to deliver their critical projects.
Exonar, 14 West Mills, Newbury, Berkshire, RG14 5HG

Exonar joins forces with MyLife Digital – for the good of trees

Newbury based Exonar has joined forces with MyLife Digital to provide an end to end solution to organisations who need to solve their General Data Protection Regulation (GDPR) problems, especially when it comes to Subject Access Requests (SARs).

GDPR has been around for two years, the enforcement date is set as 25th May 2018 – from this date the Information Commissioners Office (ICO) will be holding UK organisations accountable to the principles of this legislation rather than the Data Protection Act. As information about the GDPR has been available since 2015, there will be no further grace period – basically, we are already in it.

So, has your organisation used the last two years to prepare for the changes? Do you know where all the data is? Who has access to it? When was it collected and which Privacy Policy was in place at that point in time? How do you retrieve all the information required if a customer requests to see it? – Possibly not, but you are not alone.

Exonar’s GDPR Dashboard supplements the Consentric Permissions offering as a connected software service for end-to-end management of personal data and compliance. When the two technologies are used together your organisation is much better placed to be proactive when it comes to many GDPR requirements.

The GDPR Dashboard can help with data mapping, SARs, data portability and the right to be forgotten. It shows an overall picture of all the data held by an organisation, which is subject to GDPR, where it is held and its characteristics.
In response to research carried out by Exonar, which found that 57% of Britons will submit a SAR – which would result in over 2.2 million trees being felled for paper for printing – a campaign was started. “Plant a Tree for Privacy” requests that for every SAR submitted to an organisation they plant a tree to compensate for the amount of paper required to fulfil the request by donating to the Woodland Trust.

Adrian Barrett, CEO and Founder of Exonar says “I have been involved in technology implementation and organisational change for over 20 years, and have seen many developments, but GDPR is quite the game changer, as significant as anything since Sarbanes-Oxley. Many organisations don’t really know where to start when it comes to the vast quantity of data they hold on customers, employees, suppliers and prospects. And that’s where we come in. Right at the beginning, or step 2 of the ICO’s 12 steps to be precise, we can help our customers to understand what they need and how we can help deliver a solution. Working with MyLife Digital being able to add Consentric Permissions into the mix presents a great opportunity to systematically solve a number of challenging GDPR problems for our customers.”

Consentric Permissions rebalances trust and control of personal data between the organisation and the member. It demonstrates that an organisation complies with data protection legislation by providing digital management for data consent and all the lawful processing justifications defined by the GDPR and the UK Data Protection Bill.

Permissions integrates across the organisation with existing CRM’s Campaign Management Tools, ESP’s and other systems. It has both a self-service portal for members and a contact centre portal for staff, using organisation branding to ensure a consistent user experience.

Emma Corbett, Business Development Manager for MyLife Digital adds “It’s a very powerful story especially when it comes to the right to be forgotten and SARs. Giving an organisation the ability to find where personal data is stored and reducing the amount of human intervention between the request submissions and conclusion really speeds up the process and provides the customer with a better experience. Added to the ability to manage their own permissions in a company branded self-serve portal or via a contact centre portal, organisations can really align to the principles of the new regulation. They can be accountable, transparent and empower customers when it comes to the use of their personal data. This will help strengthen trust between both parties, increasing loyalty and protecting the organisations brand reputation.”

 

For more information about Consentric Permissions visit: https://consentric.io/solutions/permissions/

www.consentric.io
www.mylifedigital.co.uk
exonar.com
For interview or photograph opportunities contact:
Debbie Betteridge | Email: dbetteridge@mylifedigital.co.uk | Tel: +44 (0) 1225 636 280 (ext. 322)
Mobile: +44 (0)7771 564998

 

Notes to Editors
About MyLife Digital Limited
The MyLife Digital Group operates in the Personal Information Management Services (PIMS) sector, one of the fastest growing and most dynamic sectors in the UK (and global) economy. Existing MyLife Digital Group companies, Wood for Trees and PGIR already have an established, and growing, base of analytics services clients and considerable data science and sector expertise.
MyLife Digital Ltd, Citizen House, Crescent Office Park, Clarks Way, Rush Hill, Bath, BA2 2AF

About Exonar
Exonar enables organisations to better organise their information, removing risk and making it more productive and secure.
To accomplish this, they have assembled a leadership team who understand the regulatory and data challenges organisations face, and as a result, are able to rapidly innovate; adapting to and exceeding client requirements. It is why FTSE 100, Big four consulting firms and household brand names choose to work with the small, fast-growing team at Exonar to deliver their critical projects.
Exonar, 14 West Mills, Newbury, Berkshire, RG14 5HG

Solve the ICO’s Step 2 ‘Document What Personal Data You Hold’

Solve the ICO’s Step 2
‘Document What Personal Data You Hold’

What We’ve Been Reading And Writing This Month

GDPR Data Discovery
Plus – Become a GDPR Millionaire!
PwC and Exonar bring new data discovery and remediation services to market
PwC and Exonar form alliance to bring new data discovery and remediation services to market Partnership will bring together PwC’s world-leading data discovery knowledge with Exonar’s ground…
Preparing for GDPR has completely changed Lloyds` digital marketing strategy
Two years into preparing for the May 2018 GDPR deadline, Lloyds Banking Group has overhauled its CRM strategy across its major brands to focus on ‘how to’ content rather than product…
How the GDPR will disrupt Google and Facebook
We all know about the Data Protection Act – the rules that govern who gains, keeps and distributes your all-important personal data and how. As headlines of massive data breaches have…
Subject access requests: revised guidance from the ICO -...
The first draft of the Data Protection Bill (DPB) was released on 13 September 2017, following its second reading in the House of Lords. This bill is designed to bring the UK’s data…
Get our free GDPR report
Everything you need to know about the upcoming EU ePrivacy Regulation on the Respect for private life and the protection of personal data in electronic communications and repealing…
Plantatreeforprivacy: the impact of GDPR when privacy regulations change
Millions of UK consumers may submit subject access requests (SARs) to find out what personal information businesses hold on them after the GDPR goes live in May next year, with financial…
We Are Hiring - Marketing Executive - Exonar
Unless you’ve been living under a rock, you’ll have noticed that there are lots of people talking about GDPR – which is a good thing. However, there is lots of nonsense being talked about…
Heineken Pet
The Somewhat Related Section: Become A GDPR Millionaire
Read the original blog by Rowenna here: http://missinfogeek.net/gdprubbish/ If PCI DSS paid off the mortgage, then GDPR looks well on its way to buy the yacht. But how does one go about…

A Headlining Week for Privacy, SARs and Err, Trees

Privacy Has Been Hitting the Headlines

What We’ve Been Reading And Writing This Month

Personal Information and Subject Access Requests
Plus – Saving Trees for Privacy?
IDC Insight - Exonar Probes Depths Where No GDPR Solution Has...
When GDPR goes live, people will be able to submit subject access requests to current and former employers
Apple actively promoting Privacy as a selling point but...
Apple actively promoting Privacy as a selling point but…
At Apple, we build privacy into every product we make, so you can enjoy great experiences that keep your personal information safe and secure.
How the GDPR will disrupt Google and Facebook
…seen in an Apple store in Chicago – Exactly what GDPR should stop
Normally one of the bastions of privacy data, below is a sign that was spotted in an Apple retail outlet in Chicago recently. In essence, it assumes full consent is given for Apple and it’s…
Subject access requests: revised guidance from the ICO -...
At 9.24pm (and one second) on the night of Wednesday 18 December 2013, from the second arrondissement of Paris, I wrote “Hello!” to my first ever Tinder match. Since that day I’ve fired up…
Get our free GDPR report
You have the right to get a copy of the information that is held about you. This is known as a subject access request.
Plantatreeforprivacy: the impact of GDPR when privacy regulations change
Download our report: the impact of GDPR when privacy regulations change
In May next year, the UK’s Data Protection Act will be superseded by the GDPR. The GDPR is designed to give citizens more control of the information organisations hold on them and how that…
We Are Hiring - Marketing Executive - Exonar
SARs can be over 800 Pages long.Where do we start?
I did my own SAR on my own bank. This is it (actually, it’s less than half of the information they hold on me but they filtered the request). Arrived via DHL in 2 huge boxes…
Heineken Pet
The Somewhat Related Section – Planting trees for privacy. Really?
Yes, odd, we know but this 90 second video explains all – we felt bad after the SAR experiment on the left, not just for trees but for the employees that have to generate SARs…

Millions of Brits set to make GDPR personal information requests

Finance, telecoms and even social media in the firing line as customers set to demand a copy of personal information held on them

LONDON, November 1st 2017 – New research released today shows that millions may submit Subject Access Requests (SARs) to find out what personal information businesss hold on them after the General Data Protection Act goes live in May 2018.

The research, conducted by Exonar, a leading provider of General Data Protection Regulation (GDPR) data mapping and data inventory solutions, set out to identify what people know about how their privacy rights will change in May 2018. The findings showed that 70% of people have no idea about the changes. However, once GDPR and the term SAR was explained to them, 57% said they would raise a SAR.

The research also considered which sectors will be hit hardest. Financial services topped the charts with a third of people saying they would submit a SAR to their bank and 16% to their credit card provider. This could result in around 21million* current account holders raising a SAR and around a further 8million** credit card holders also asking for information held on them.

Other targets for SARs included mobile network providers (11%), social media companies (16.4%), insurance companies (8%), and loan companies (5%), 8% a utility firm, and 5% a retailer. A further 9% would raise a SAR on a current employer, 4% on an ex-employer.

Julie Evans, COO at Exonar, said companies need to make the most of the time they have before the Information Commissioner’s Office (ICO) starts its consumer publicity campaigns: “Companies often ask us how they can predict how many SARs they will receive. It’s an impossible task as so much of it will come down to consumer awareness.

“At the moment all communication efforts from the ICO are focused on getting companies ready for the GDPR, but come next Spring, we expect the focus to change as they start to inform the general public about the changes. If the ICO succeeds in raising consumer awareness then, as this research shows, the floodgates will open. Businesses really do need to make the most of the remaining months to get their data house in order.”

The research found that people are worried about how their data is managed today: 27% are concerned their data could be sold, and another 27% said they worried about hacking.

As part of the research, it was explained that a SAR could run into hundreds of pages***. Almost a fifth (18%) stated ‘shock’ that a company could hold so much about them and everything they have ever done, with 15% saying that if they held that much information they would want to know exactly what it was and a further 10% went as far as to say they’d want companies to forget about them altogether.

There were also environmental concerns: a third of people (31%) said they thought SARs were a waste of paper and would prefer to receive them in a secure digital format – just over a quarter were surprised a SAR wasn’t digitized anyway. 12% said environmental concerns would put them off doing a SAR.

Evans adds: “Going digital should be at the heart of any GDPR strategy. New technologies like data mapping, big data and machine learning will make it easier for businesses to ensure personally identifiable data is easy to locate and secure. Technology can help everyone in a business to follow best practice and avoid the potentially hefty cost of failing to deal with SARs and comply with the GDPR.

“Aside from the cost, relying on manual processes is too high risk. Going digital will make the process of finding and retrieving information quicker and cheaper, and also lessen the environmental impact of completing a SAR request.”

In order to offset the environmental impact of producing paper-based SARs and to encourage organisations to consider moving towards a digital process, Exonar is asking that for every SAR that is produced in paper a tree is planted or a donation is made to the Woodland Trust.

For more information about the research go to: www.exonar.com/plantatreeforprivacy

 

Notes to editors 

About the research: 1028 adults were surveyed between 6th and 10th October 2017, by Opinion Matters.

* Approx. 21m active current account holders (33% of 65m –  https://assets.publishing.service.gov.uk/media/53c834c640f0b610aa000009/140717_-_PCA_Review_Full_Report.pdf)

** Approx. 8m active credit card holders (16% of 50m –http://uk.creditcards.com/credit-card-news/uk-britain-credit-debit-card-statistics-international.php)

Calculation: 33% of 1028 people questioned said they would submit a SAR to their current account provider, and 16% said they would submit a SAR to their credit card provider, multiplied by the total active current account/credit card holders.

*** People can raise a request today but companies can take as long as 40 days and charge for the service. An Exonar employee asked their bank, with whom they have been a customer for 20 years, for the information they held on them. This picture features all the paper the employee received. It amounts to eight reams of paper.

Millions of Brits to submit SARs when the GDPR goes live

 

Finance, telecoms and even social media in the firing line as customers set to demand a copy of personal information held on them

LONDON, November 1st 2017 – New research released today shows that millions may submit Subject Access Requests (SARs) to find out what personal information businesss hold on them after the General Data Protection Act goes live in May 2018.

The research, conducted by Exonar, a leading provider of General Data Protection Regulation (GDPR) data mapping and data inventory solutions, set out to identify what people know about how their privacy rights will change in May 2018. The findings showed that 70% of people have no idea about the changes. However, once GDPR and the term SAR was explained to them, 57% said they would raise a SAR.

The research also considered which sectors will be hit hardest. Financial services topped the charts with a third of people saying they would submit a SAR to their bank and 16% to their credit card provider. This could result in around 21million* current account holders raising a SAR and around a further 8million** credit card holders also asking for information held on them.

Other targets for SARs included mobile network providers (11%), social media companies (16.4%), insurance companies (8%), and loan companies (5%), 8% a utility firm, and 5% a retailer. A further 9% would raise a SAR on a current employer, 4% on an ex-employer.

Julie Evans, COO at Exonar, said companies need to make the most of the time they have before the Information Commissioner’s Office (ICO) starts its consumer publicity campaigns: “Companies often ask us how they can predict how many SARs they will receive. It’s an impossible task as so much of it will come down to consumer awareness.

“At the moment all communication efforts from the ICO are focused on getting companies ready for the GDPR, but come next Spring, we expect the focus to change as they start to inform the general public about the changes. If the ICO succeeds in raising consumer awareness then, as this research shows, the floodgates will open. Businesses really do need to make the most of the remaining months to get their data house in order.”

The research found that people are worried about how their data is managed today: 27% are concerned their data could be sold, and another 27% said they worried about hacking.

As part of the research, it was explained that a SAR could run into hundreds of pages***. Almost a fifth (18%) stated ‘shock’ that a company could hold so much about them and everything they have ever done, with 15% saying that if they held that much information they would want to know exactly what it was and a further 10% went as far as to say they’d want companies to forget about them altogether.

There were also environmental concerns: a third of people (31%) said they thought SARs were a waste of paper and would prefer to receive them in a secure digital format – just over a quarter were surprised a SAR wasn’t digitized anyway. 12% said environmental concerns would put them off doing a SAR.

Evans adds: “Going digital should be at the heart of any GDPR strategy. New technologies like data mapping, big data and machine learning will make it easier for businesses to ensure personally identifiable data is easy to locate and secure. Technology can help everyone in a business to follow best practice and avoid the potentially hefty cost of failing to deal with SARs and comply with the GDPR.

“Aside from the cost, relying on manual processes is too high risk. Going digital will make the process of finding and retrieving information quicker and cheaper, and also lessen the environmental impact of completing a SAR request.”

In order to offset the environmental impact of producing paper-based SARs and to encourage organisations to consider moving towards a digital process, Exonar is asking that for every SAR that is produced in paper a tree is planted or a donation is made to the Woodland Trust.

For more information about the research go to: www.exonar.com/plantatreeforprivacy

 

Notes to editors 

About the research: 1028 adults were surveyed between 6th and 10th October 2017, by Opinion Matters.

* Approx. 21m active current account holders (33% of 65m –  https://assets.publishing.service.gov.uk/media/53c834c640f0b610aa000009/140717_-_PCA_Review_Full_Report.pdf)

** Approx. 8m active credit card holders (16% of 50m –http://uk.creditcards.com/credit-card-news/uk-britain-credit-debit-card-statistics-international.php)

Calculation: 33% of 1028 people questioned said they would submit a SAR to their current account provider, and 16% said they would submit a SAR to their credit card provider, multiplied by the total active current account/credit card holders.

*** People can raise a request today but companies can take as long as 40 days and charge for the service. An Exonar employee asked their bank, with whom they have been a customer for 20 years, for the information they held on them. This picture features all the paper the employee received. It amounts to eight reams of paper.