The term “data subject access request” may not exactly roll off the tongue but changes to EU data protection laws could prove a smack in the mouth to many firms by triggering a flood of compensation claims to rival PPI pay-outs.
That is the stark warning from data expert Iain Lovatt, who has been chief executive of agency Bluesheep for nearly 30 years and is also a visiting professor at the University of the West of England and sits on its Faculty of Business & Law Advisory Board – so he knows a thing or two about such matters.
He reckons some firms could be facing millions of pounds in compensation claims unless they get their customer data in order.
Under existing legislation, consumers already have the right to a copy of the personal data an organisation holds about them, and it is a legal obligation to provide records of all the information about them that is stored, used and shared.
A so-called SAR is currently subject to a £10 processing fee, which it is claimed puts off most people from making a request. But the EU General Data Protection Regulation (GDPR) could potentially see an end to this.
According to the new law, consumers will be “guaranteed free and easy access to your personal data, making it easier to see what personal information is held by companies and public authorities”.
In a blog post, Lovatt writes: “While it has not been stipulated that SARs will become free, it is prudent to assume that the process will need to become more straightforward, opening the floodgates for requests. It also serves as a very important reminder to ensure your house is order, before it costs you millions.
“Why? If a SAR unearths any transgressions of data protection laws (for example, discovering that a customer’s credit card details were not removed from a list when asked, prior to a data breach. Or, if a customer’s details have been incorrectly held on a database that has prevented them from getting a job) your company could be in danger of facing a mountain of compensation claims.”
While settling these claims for ‘unlawful processing’ might be inexpensive individually, the volume of potential SAR cases will amount to a considerable sum, Lovatt reckons.
“Say your customer database contains a million records. If just 0.5% submit a legitimate claim for £150 worth of compensation, that’s a bill for £750,000 – without factoring in the costs associated with thousands of hours processing them. That’s just 5,000 people. Over 10 million have been pursuing PPI claims.”
Lovatt goes on to advise marketers to “make sure your ducks are in a row”, adding: “Along with knowing how your master data is collected (making it easier to refer to when you receive a SAR), you’ll need to ensure your database is clean.
“As we know, a cleaner database with single customer records will be up-to-date and accurate, with permissions and suppressions correct and in place. Plus, you’ll be able to quickly explain where your data came from, when a customer opted-in, and how you’ve used it within the Regulation guidelines.”
Lovatt concludes: “Even if my fears amount to nothing, responsible handling of customer data is no bad practice. If they do – well, don’t say I didn’t warn you…”
EU sets May 25 2018 as GDPR implementation date
Industry on alert as EU reviews online privacy laws
Data consent ruling rocks industry
ICO evidence exposes mass abuse of the TPS rules
1,000 firms probed as ICO goes to war on rogue data
EU reforms put £300bn digital market in jeopardy
EU data reforms: the top 5 issues for marketers
Industry cheer as EU opt-in data threat is lifted
EU data reforms already ‘out of date’
Cookie consent ‘still baffles firms’
Simple cookies consent now rules