The Information Commissioner’s Office has opened up yet another can of GDPR worms by insisting that companies must accept “data subject access requests” (DSAR) over Twitter direct messages, as they constitute a “written request”.
The issue was sparked by consumer Kareem Maylah, who submitted a DSAR to SkyUK via Twitter private message only to be told by Sky that this was not acceptable and to call its GDPR team instead. The user then contacted ICO via Twitter for advice.
In response, the ICO tweeted back: “You can make a request in writing, which may include a private Twitter message. However, an org may need to confirm your identity. If you’re unhappy with how they are handling your request, you should raise a concern with them.”
Whether the ICO will take enforcement action in cases where a company refuses to accept a DSAR over Twitter remains to be seen but it is already one section of GDPR which is giving many companies the heebeegeebees.
According to a recent study conducted by Macro 4, around a third of organisations are not fully compliant with the rules for handling DSARs, and 14% took longer than one month to supply the personal information requested. One company even said it would need 40 days to respond.
Meanwhile, in nearly three-fifths (59%) of the companies contacted, the first person who dealt with the customer – usually a call centre agent – was not clear about the correct process to follow in order to handle a DSAR (and in some cases was even unsure what an information request actually was). Agents had to put the customer on hold, check with colleagues or consult their systems to find out what to do.
In the run-up to GDPR, there were dire warnings that new regulation would trigger a tsunami of data requests as soon as the regulation came into force, raising fresh fears that many would struggle to cope. According to a poll of UK adults, commissioned by SAS, nearly half (48%) planned to activate new rights over their personal data.
However, so far the Metropolitan Police is the only organisation to have fallen foul of the UK Information Commissioner’s Office, after it emerged that the force had a backlog of over 1,700 requests for copies of data.
Although the ICO has only slapped the Met with an enforcement notice, rather than a fine, the regulator has warned companies to ensure they comply with requests within the one month time-frame or face action for being in breach of GDPR.
Firms accused of handing out personal data willy-nilly
Met farce fuels data access request warning to brands
Spotify ad launch eclipsed by fresh GDPR investigation
Apple, Spotify, Google and Netflix face GDPR data probe
‘I don’t believe it’…young make most GDPR complaints
Fears grow as ‘millions plan to delete data under GDPR’
Firms face bombardment of data requests under GDPR
Google GDPR shortcomings leaving ad clients exposed