Up to 10 million UK consumers could seek compensation from companies which hold their data when GDPR comes into force next May, according to a new study, which exposes the potential scale of the issue facing tens of thousands of companies – clients, agencies and data suppliers – across the country.
There have already been dire warnings of a tsunami of requests, with an army of “ambulance chasing” legal firms waiting in the wings. But while some reports estimate that up to 70% will exercise their rights to find out what data is held on them, this is believed to be the first study to reveal how many people would actually seek financial redress.
To compound the issue, under GDPR, so-called “data access requests” must be turned around free of charge and within 30 days.
The survey of 1,000 UK consumers was carried out by Unicom Global’s Macro 4 division in partnership with MaruUsurv.
It suggests that around half (52%) of the adult UK population of 42 million people would make a request if they suspected their personal information was being held without their consent; two-fifths (39%) would consider doing it just because they are curious to see what data companies are holding about them; and a quarter (26%) would make a request if there was a chance of compensation, if the rules were not being followed or their privacy was being breached, for example.
Some 17% would make a request in order to ‘get back’ at companies who had given them a negative experience. In fact, only 7% of UK consumers would not be interested in seeing the personal information companies are holding about them
Macro 4 marketing manager Lynda Kershaw believes that GDPR requests will pose a major challenge for organisations both because personal data now includes so many different types of information and because it is difficult to predict just how many requests to prepare for.
She added: “Personal information can be anything that is identifiable to an individual: everything from contact details, date of birth and credit card numbers, to information within emails and social media conversations, letters, bills and policy documents. Much of this is unstructured information held in separate systems controlled by different business departments and cannot be pulled together at the snap of your fingers.
“And things get even more complicated if you’re an online or ecommerce business that tracks people’s online behaviour, such as the web pages they visit and ads they click – for marketing purposes. Under the new rules, cookies, IP addresses and other online identifiers all count as personal data. You need to explain exactly how you are using this kind of information, and be able to respond to customer queries about it, too.”
Brace yourselves for the GDPR data ambulance chasers
70% of customers plan to demand to see their data
Privacy chief Denham hits out at GDPR scaremongering
Firms face bombardment of data requests under GDPR
GDPR compensation to dwarf £30bn bill for PPI claims
Half of all firms still not compliant with 1998 data laws
Data compensation claims ‘could run into millions’