Are GDPR Cracks Beginning to Show?
Privacy International recently filed complaints against seven companies for “systematic infringements” of data protection law. Acxiom, Oracle, Criteo, Quantcast, Tapad, Equifax and Experian were reported for allegedly violating three key GDPR principles.
The civil rights group wants to highlight the way in which these businesses handle data and asserts that they do not currently comply with the Data Protection Principles of transparency, fairness, lawfulness, purpose limitation, data minimisation, and accuracy.
Tip of the iceberg
Privacy International’s criticisms are based on 50 subject access requests but admits that this investigation has “only been able to scratch the surface” of potential data exploitation practices. In fact, in October the Portuguese data watchdog issued a €400,000 fine to a Portuguese hospital for two GDPR violations, highlighting just how painful fines for non-compliance can be.
With the sheer volume of data financial services companies host, there is clearly scope for major issues if it isn’t managed efficiently. So why are many struggling with GDPR six months on?
Cracking the complexities
The regulations pose so many challenges – industry goliaths can receive hundreds of subject access requests every day, presenting a huge administrative headache. At the other end of the spectrum, SMEs in the financial services sector may struggle to have even the most basic of systems in place to stay on top of data management.
There is also the complexity of understanding exactly what the law requires – what data can and can’t be stored and what the “right to be forgotten” means. Consider for a moment the back-up systems that most businesses have in place – by definition they are designed to not forget things. Does forgetting mean removing references even in long-lost archives? How do companies even begin to know where every piece of data they store on someone is hosted?
Automate, don’t complicate
Despite the endless advice issued in the lead up to GDPR, many businesses still don’t have the necessary tools in place. Companies need robust processes and systems in place to tackle incoming queries and ensure timely follow-up and resolution. Response is not just a matter of customer satisfaction. It’s now the law.
Fortunately, technology can play a big part in easing the GDPR burden. Some of the time-consuming administration surrounding GDPR can easily be handled by having an automated system to capture data requests thus freeing up the human workforce to focus on more added-value tasks. An automated system can help companies retrieve information requested by customers, especially if they hold multiple forms of data on them.
Ironically, given that many worried GDPR would be the bottleneck to its widespread adoption, AI will prove central to automating subject access requests. Embracing technology that continues to grow increasingly knowledgeable in the intricacies of GDPR and algorithms will automatically see necessary data deleted when customers request to be forgotten.
This removes the burden of compliance from financial professionals, who may legitimately spend hours trawling systems for any reference to one client, when AI can manage this in a matter of seconds. Professionals can utilise this time saving by adding value to clients instead – strengthening relationships and increasing the chances of them being brand advocates, rather than requesting to be forgotten.
No financial services company wants to see its name in the headlines for falling foul of GDPR requirements – both the financial penalties and reputational damage will prove difficult to bounce back from. Clients will inevitably move to competitors if they are suspicious that data processes aren’t up to speed. It’s therefore imperative that all businesses automate their GDPR processes, rather than struggling in silence and risking severe damage to their company in the process.