GDPR Benhmark: 70% of companies failing on their own GDPR compliance claims
1 like437 views
Talend conducted research on 103 companies' ability to comply with the GDPR regulation. They found that: 1) While 98% of companies updated their privacy policies for GDPR, 70% failed to provide requested personal data within 30 days. 2) European companies had a higher failure rate (65% failure) than non-European companies (50% failure). 3) Retailers had the highest failure rate at 47%, while other industries ranged from 24-50% failure. 4) The top reasons for failure were a lack of customer data tracking and visibility, siloed data, and lack of automated processes to efficiently handle data requests.
GDPR Benhmark: 70% of companies failing on their own GDPR compliance claims
- 2. 33 GDRP BENCHMARK PARAMETERS 103 Companies In the panel Rights for Data Access & Portability Worldwide study Financial Services 24% Travel, Transport, Hospitability 24% Retail & consumer goods 24% Media, Telco, Utilities 28% Europe 70% APAC 11% NORAM 19% Regions Sectors
- 3. 44 GDPR BENCHMARK - BACKGROUND GDPR: The General Data Protection Regulation is a regulation in EU law on data protection and privacy for all individuals within the European Union. The regulation, which sets a new standard for consumer rights regarding their data, came into effect on May 25, 2018. The governing body is expected to levy significant fines to companies that do not comply with the new regulations. Market Compliance Research: Talend, a leader in data integration and management software, conducted market research to assess companies’ ability to comply with the new GDPR regulation. The analysis involved the following: • Assessing whether or not companies had updated their privacy policies to account for GDPR • Researching whether or not companies had dedicated ways for consumers to request GDPR data (i.e., the personal information the company has on them) • Requesting GDPR data and assessing how quickly and thoroughly companies comply • Requesting GDPR data in a way that may be directly accessed and reused by the individual (data portability) The research involved 103 GDPR-relevant companies across the globe (EU companies or companies based in the U.S. or APAC that conduct business in Europe) from a range of industries (Retail, High-Tech, Media, Transport/Travel/Hospitality, Utilities/Telco, Public Sector, Finance)
- 4. 55 SURVEY HIGHLIGHTS Policies are defined… 98%HAVE UPDATED THEIR PRIVACY POLICIES FOR GDPR 70%FAILED TO PROVIDE THE DATA REQUESTED IN 30 DAYS ! 21 days AVG TIME IT TOOK COMPLIANT COMPANIES TO RESPOND But are not enforced… or poorly delivered
- 5. 66 GDPR COMPLIANCE - REGIONAL BREAKDOWN Almost 90% FRENCH AND SOUTHERN EUROPEAN COMPANIES HAD THE HIGHEST FAILURE RATE OF ANY REGION 35% OF EUROPEAN COMPANIES PASSED 50%OF NON-EUROPEAN COMPANIES PASSED EU-based companies were less likely to comply to GDPR than companies outside the EU Vs
- 6. 77 GDPR COMPLIANCE - INDUSTRY BREAKDOWN 47% TRAVEL/TRANSPORTATION HOSPITALITY 24% RETAILERS 50% FINANCIAL SERVICES COMPLIANCE FAILURE WHILE MOST INDUSTRIES ARE DOING A POOR JOB OF COMPLYING TO GDPR, RETAILERS ARE BY FAR THE WORST OFFENDERS 40% MEDIA/TELCO/UTILITIES
- 7. 88 GDPR COMPLIANCE – COMPLIANT COMPANIES 30%PROVIDED GDPR DATA UPON REQUEST WITHIN 30 DAYS 21THE AVG NUMBER OF DAYS IT TOOK COMPLIANT COMPANIES TO RESPOND 6%THE PERCENTAGE OF COMPLIANT COMPANIES THAT ASKED FOR AN EXTENSION* TO COMPLY *Allowed under article 12.3 of GDPR 22%THE PERCENTAGE OF COMPANIES THAT RESPONDED IN A 24HRS 65%THE PERCENTAGE OF COMPANIES THAT ANSWERED IN 10+ DAYS
- 8. 99 ADDITIONAL EXPERIENCES • 7% of companies mistakenly assumed we were asking to be forgotten (half of them were hospitality leaders) • 4 companies actually deleted our account and data without notice • Some companies asked for a range of personal data before beginning our request (ID, loyalty number, birthday, data of transactions…) and then still didn’t comply • Virtually every company failed to fulfill our request for data portability • 4 companies asked “what do you mean by personal data”? • A leading global firm in the financial sector fulfilled our request by sharing the data they held on us through printed pages that they physically delivered through a secure mail courier. • Only a few delivered a 1-click memorable customer experience, including Spotify (Sweden), N26 (Germany), Garmin (US), and Next (Germany). They offered a clear explanation of their usage of our personal data, direct access to our data via a portal, and data portability.
- 9. 1010 THE ROAD TO COMPLIANCE: WHY DO COMPANIES FAIL? • The majority of companies do not adequately track personal information • Lack accountability • Absence of Data Privacy Owner (DPO) • No department clearly appointed to answer requests • Lack data control and visibility • Can’t identify customers: some companies have requested personal data in order to start processing the requests • Can’t locate data or deleted data • Provided incomplete data sets (siloed data) • Lack proper processes or tools • Need for human data integrators • Companies are overwhelmed: fail to deliver after the extension with article 12.3
- 10. 1111 OUR KEY TAKE AWAYS GDPR is seen as a legal project and not as a driver for better customer experience, Engagement, and trust LEGAL VS CUSTOMER How organizations empower data workers towards GDPR and the importance of having a data owner or controller DATA CULTURE/ DATA OWNERSHIP Customers data is siloed and the majority of companies do not know their customers CUSTOMER 360° Organizations do not have automated processes: GDPR is not a one-click process (human data integrator) AUTOMATION