Companies under strain from GDPR requests


    Please use the sharing tools found via the email icon at the top of articles. Copying articles to share with others is a breach of FT.com T&Cs and Copyright Policy. Email licensing@ft.com to buy additional rights. Subscribers may share up to 10 or 20 articles per month using the gift article service. More information can be found at https://www.ft.com/tour.
    https://www.ft.com/content/31d9286a-7bac-11e8-8e67-1e1a0846c475

    Just over a month after the EU introduced some of history’s toughest data protection rules, companies are being inundated with correspondence about their use of personal information, straining resources as they adapt to the new regime.

The General Data Protection Regulation, which came into effect across the EU in May, has radically reshaped how companies can collect, use and store personal information. With sweeping new rights for people to know how their data are used, and to decide whether it is shared or deleted, businesses and regulators are being overwhelmed with complaints.

Companies, which face fines of up to 4 per cent of global turnover or €20m, whichever is greater, if they fall foul of GDPR, have reported a sharp increase in questions from customers.

Facebook, which has also been hit by a damaging scandal about the leak of user data to Cambridge Analytica, said it had seen a three or fourfold increase in questions after the introduction of GDPR.

“We saw a manyfold increase in contacts to my office,” said Stephen Deadman, Facebook’s data protection officer. “It spiked [after GDPR] and has halved on a weekly basis since; we’ll see whether it continues or stabilises.”

Marriott, the hotel operator, has asked for extensions to the one-month response period. “We are in the process of reviewing a large volume of requests at this time and have invoked our right to extend the time period in which to respond as allowed under applicable law,” Marriott said.

Technology companies, media groups, retailers and banks are among those most targeted because of the vast amounts of information they hold on customers. Some financial institutions, which are required to collect detailed customer information for anti-money laundering, tax and accounting reasons, say the rules have proved onerous to implement alongside these other regulations.

“I anticipate reply to my request within one month, as required under Article 12, failing which I will be forwarding my inquiry with a letter of complaint to [the data protection authority],” reads one letter sent to multiple companies with a nine-point list of demands.

“Do you monitor my behaviour?” reads another.

Traditional companies with legacy systems complain of a time-consuming process to review older data that span back years. Richard Killingbeck, chief executive of City stockbroker WH Ireland, said several staff had been working full-time to go back over more than 15 years worth of paper files — or 5,000 storage boxes. “We still do have a hell of a lot of hard-copy file review being undertaken,” he said.

Frances Coyle, regulatory counsel and deputy data protection officer at UK challenger bank Monzo, noted that the Cambridge Analytica data scandal was another factor behind a rise in questions. “People are interested to see what third parties get access to their data,” she said.

Some companies have taken drastic measures to avoid non-compliance. Immediately after GDPR came into effect, a number of businesses suspended their services in Europe, including the Los Angeles Times, the Chicago Tribune and apps including Unroll.me, which helps users unsubscribe from email spam. 

After an initial flurry of requests, companies say they are still wading through dozens of questions about data protection, which no longer have to be submitted in a particular format.

“There have been a lot of requests asking for copies of the data, some of that has come through the companies’ own portals and some have been standard-format letters — there are a number of standard-format letters out there,” said Ruth Boardman, joint head of international privacy at law firm Bird & Bird. “If you’re a consumer-facing company you may get 200 or 300 of these in a go, so there’s a real overhead from it.”

Activists have led the charge, launching tools to help users to ask for data. One Thing Less, a smartphone app based in Switzerland, has created a pro forma list of companies ranging from Acxiom, the data broker, to phonemaker Samsung, and Swarovski, the luxury brand from who users can request information in three clicks.

Some companies, such as Netflix, Yoox Net-a-Porter and Marriott have not yet responded to users who requested information through the app in May, despite a requirement under GDPR to respond within a month. 

Netflix said it would not work with the app unless it had an “appropriate authentication or legal process”.

“If members cannot find the information they are looking for by logging in and going to their account page, we are happy to work with them directly.”

Yoox Net-a-Porter did not respond to a request for comment.


    Please use the sharing tools found via the email icon at the top of articles. Copying articles to share with others is a breach of FT.com T&Cs and Copyright Policy. Email licensing@ft.com to buy additional rights. Subscribers may share up to 10 or 20 articles per month using the gift article service. More information can be found at https://www.ft.com/tour.
    https://www.ft.com/content/31d9286a-7bac-11e8-8e67-1e1a0846c475

    Privacy International, a campaign group, has written to four data brokers and advertising technology companies asking why they gather certain information and share it with third parties. Max Schrems, an Austrian lawyer, has filed four complaints against Facebook and Google under GDPR. 

The UK Information Commissioner’s Office received 1,106 data protection complaints in the three weeks after the rules were introduced and said reports of data breaches had risen. Dixons Carphone and Ticketmaster are among the British companies to have disclosed hacks in the past month, as required by the new rules. 

Ireland’s Data Protection Commission has received 547 data breach notifications and 386 complaints in the first month, according to research by the International Association of Privacy Professionals. Data protection watchdogs in the Czech Republic and France have each received more than 400 complaints.

Lukasz Olejnik, an independent security and privacy researcher, says it is difficult to predict whether complaints will continue to increase or die down. 

“The situation is fluid,” he said. “[There is] growing awareness on the one hand, and the gained experience by the data protection authorities on the other . . . some complaint patterns may end up being justified.”
 

Mike PalmerComment