GDPR Subject Access Requests – do consumers really understand?

Screen Shot 2018-02-26 at 12.36.29.png

Over the weekend I polled a few friends about their digital footprint and asked them who they had given their personal data to, if they still used the service and if they knew that things were about to change in European Law with the impeding General Data Protection Regulation (GDPR), which would give them more rights over their data.

Most of the answers I received made me realise that most consumers of services provided via websites, apps or electronic sign-on have little understanding about what data they have provided and continue to provide, why they do it and see it as a painful and necessary way to get that service as fast as possible. I also asked them “Do you read any of the Terms and Conditions?” this was met with the expression you would expect – “Are you mad?”.

Some folk are more tech savvy than others, but the mooted marketing campaign from the European Union(EU) to explain to consumers the new rights they had under the GDPR never came at the end of 2017, so most, if not all of the public remain blissfully unaware.

That is a shame as people need to be more conscious of what, where and how their personal data is collected and distributed in a digital first world – not least if you asked them for their age, sex, address, credit card number and passport they would probably say ‘no’, but readily tap it into a website without thinking of what they have just given away – their identity.

If consumers are not aware of the new rules, how do companies fare?

In February the FT tested out the response of six companies to be able to satisfy a subject access request (SAR), the results were mixed, but highlighted the fact that organisations only have a few months to get themselves ready – not just for the regulation, but for the potential volume increase of subject access requests they may see after 25 May 2018.

So, how would your business cope with a SAR?  Do you have a process or tools in place to be able to automate a complex request from a data subject for their personal data?

At Veritas we have been giving this, and other GDPR problems a great deal of thought and created a framework to allow businesses to understand their unstructured data in a way to make better decisions on what is of value, what could be of risk – and as an example, how to respond to a subject access request using the Veritas eDiscovery Platform.

The demonstration shows a use case of the platform for a SAR, but since we integrated classification across our range of Digital Compliance products we have been helping customers understand their unstructured data environments in a way they have never been able to before. Do you know if you have personal data stored in your unstructured folders? Are you convinced you are not storing personal data? Try our free classification tool to assess your own risk, you may be surprised what you find stored on your laptop.