With GDPR looming large on the horizon, concern mounts around the ambiguity of key aspects of the regulation, such as what will constitute ‘legitimate interest’ for capturing data, and the future validity of data from third-parties.
However, one area that appears more clear-cut is in relation to ‘subject access request’ – the principle that outlines a consumer’s right to access all of the data records any given company holds on them within 30 calendar days of request.
It is anticipated that the GDPR’s introduction in May 2018 could act as a catalyst for a wave of subject access requests (SARs) from consumers, which could leave companies open to a growing industry of compensation claims as a result.
In the dark
In the UK, SARs are set to be actively promoted by the Information Commissioner’s Office (ICO) in the build-up to GDPR, with concerns building over just how little knowledge consumers have about the pervasive use of their data by many of the brands they have relationships with.
According to research from Exonar, 70% of consumers currently have no idea they might be able to make SARs requests.
However, when told that a SAR could run into hundreds of pages, almost a fifth of Exonar’s respondents stated ‘shock’ that companies potentially held this much about them, with15% saying that if they held that much information they would want to know exactly what it was and a further 10% stating they’d make a ‘right to be forgotten’ request as a result.
In separate research from UNICOM and MaruUserv, it was found that 52% of consumers would likely make a request if they suspected their personal information was being held without consent.
26% also stated they would make a request if there was a chance of compensation – a possibility under GDPR, if privacy is being breached. 17% said would make a request in order to ‘get back’ at companies who had given them a negative experience.
The new PPI?
At a roundtable GDPR event in October, security and data privacy experts raised the concern of compensation claims in the wake of GDPR, which, they said, could lead to “an army of ‘no win, no fee’ compensation lawyers” which could do more damage than the 4% annual turnover fines GDPR legislation will allow.
Robert Bond, a partner at law firm Bristows, said the legislation was almost an open goal for an industry of compensation claims to develop:
“The area we foresee [being used] is emotional distress – having ambulance-chasing lawyers saying, ‘have you lost sleep because your data might have been exposed?’.
“You can imagine, if a million people make a claim of £1,000 each, that dwarves any of the other fines.”
Cloudian global technical director Neil Stobart agreed, saying: “You can guarantee there will be a whole industry out there.”
The marketing role
In the build-up to GDPR’s introduction next year, many marketing professionals are questioning their role in ensuring their brand’s compliance to the new regulations.
Lynda Kershaw, marketing manager at Macro 4 says the prospect of compensation claims from customers highlights just how necessary marketers are to how brands communicate their use of customer data.
“42% of consumers find it difficult to keep track of personal information they have consented to organisations collecting,” she said. “41% would be more likely to use a company that made it easier to understand what personal information they are holding and how it will be used.
“You need to explain exactly how you are using this kind of information, and be able to respond to customer queries about it, too.”
The aforementioned GDPR panel, which also included EY global GDPR lead consultant Noris Iswaldi and University of Suffolk director of IT Peter O’Rourke, said that biggest challenge of GDPR was that it was too often being left to IT leaders to oversee.
“The struggle is they think it can be solved by IT and it cannot,” said Stobart. “The data owner needs to look at their data, and say whether it’s relevant for them to keep.”
Exonar’s research stated that the organisations most likely to be hit with an abundance of SAR requests and possible compensation claims were those in financial services, telecoms and social media.
A third of people said they would submit a SAR to their bank (the equivalent in the UK of around 21million current account holders).
11% said they’d submit a request to their mobile network provider, 8% a utility firm, and 5% on retailers. A further 9% would raise a SAR on a current employer, 4% on an ex-employer.
Chris is Editor of MyCustomer. He is a practiced editor, having worked as a copywriter for creative agency, Stranger Collective from 2009 to 2011 and subsequently as a journalist covering technology, marketing and customer service from 2011-2014 as editor of Business Cloud News. He joined MyCustomer in 2014.