The DPO Centre’s Research Results – 7 steps for handling customer data

In 2018, the GDPR was introduced to help provide consumers with more control and transparency around how their data is used. Since then, companies have had to implement a wide range of measures, with considerable time investment and financial cost, to ensure that they are handling consumers’ personal dataInformation which relates to an identified or identifiable natural person. safely and securely. This has been a lengthy processA series of actions or steps taken in order to achieve a particular end. which has been complicated further by the pandemic and the rush to the virtual world.   

In November this year, the DPO Centre commissioned research into consumers’ views on how companies are handling their personal data, hoping to gain insight into whether the work that companies have put into data protection has increased consumer trust in their data processing activities. The results of this research, conducted by Opinium Research, reveal that 44% of UK adults believe that their personal data has been mishandled by companies, suggesting that a large number of people remain concerned about how their personal data is being processed.  

The above statistic reveals a distinct lack of trust between consumers and companies, something that is also reflected in the fact that when asked, over half (54%) of respondents said that they believe companies collecting personal data for the purpose of NHS Track and Trace are also using it for other purposes. Of those that think companies are using their personal data for reasons other than Track and Trace, 40% believe they are probably are doing this, whilst 14% say that they definitely are.  

Despite a significant number of people thinking that their data has been mishandled, only one in ten said that they have considered submitting a Data Subject Access RequestA verbal or written request made by a data subject to: access their data (in a portable format if requested), be informed about how it is used, to have their data modified if it is incorrect, or to have it deleted. (DSAR). Those aged between 18 and 34 years old are most likely to have considered submitting a DSAR (20%), compared to those aged 35-54 (14%) and 55+ (4%). The low number of people that have considered this course of action is perhaps indicative of the fact that people are either not aware of their rights, or unsure how to exercise them. However, as time goes on and awareness increases, it is probable that the rate of people submitting DSARs to companies will increase, so companies need to be ready for this. Awareness of data protection and data subjectAn individual who can be identified or is identifiable from data. rights may well be accelerated by the pandemic, as the handling of NHS Track and Trace data has pushed data protection to the forefront of many people’s minds that previously may not have considered it to be a pressing issue. 

Commenting on these results, Rob Masson, CEO at The DPO Centre, says “Companies should expect DSAR requests to increase over the coming years as one of the fallouts from the pandemic. However, they could be a costly and lengthy process that companies can easily avoid if they put the right procedures in place. An easily accessible privacy policy that explains clearly how customers’ personal data is used can often help to allay concerns that could otherwise lead to a DSAR.” 

Conclusion 

Overall, these results indicate that companies need to be doing much more to reassure customers that their data is safe and being stored and processed correctly.  

Rob Masson, CEO at The DPO Centre, concludes that “Our research reveals that businesses need to show customers that they are collecting their information in a secure and transparent way.” Being transparent with consumers is essential to gaining their trust and confidence that you are dealing with their data in the correct way.  

Below, we list seven steps that companies should take when handling consumer data that will help demonstrate to their consumers that they are taking their data protection obligations seriously:  

1. Be open and honest about the personal data you collect and how it is used by publishing the details in your privacy noticeA clear, open and honest explanation of how an organisation processes personal data. 
2. Ensure your privacy notices and policies are reviewed regularly and kept up to date 
3. Make it easy for data subjects to exercise their rights and freedoms by providing them with an easy way to contact you 
4. Respond to data subjects’ rightsUnder UK data protection regulation, data subjects have a number of rights available to them – to be informed, access, rectification, erasure, restrict processing, data portability, to object and further rights in relation to automated decision making and profiling. requests without undue delay and within statutory timescales, usually one month from identity verification 
5. Take a proactive approach to safeguarding data subjects’ rights by employing data protection by design and default (‘privacy by design’) principles when introducing new technology and processes 
6. Understand the potential ramifications of the UK failing to achieve an adequacyA status granted by either the EU Commission (EU) or UK government (UK) to third countries that provide personal data protection that is essentially equivalent to that provided in EU or UK law. decision and how to ensure that international dataflows can continue 
7. Check whether you are legally required to appoint an EU Representative after Brexit (if you process data on EU residents but don’t have a presence in the EU) 

NB: This research was conducted by Opinium Research, 13-17 November 2020 based on a 2,000 nationally representative weighted sample.