From May 2018 on, the new EU privacy regulation General Data Protection Regulation (GDPR) will be in full force for all firms handling European consumer data. This legislation strives to provide consumers transparency and control over their data. In order to find out how well-prepared European firms actually are, iWelcome initiated a comprehensive GDPR research. Consumer-facing online services in 7 key countries and for 6 industries leading to a total number of 89 data controlling firms are being monitored. The first results show that 80 percent is nowhere near being GDPR-compliant.
According to the research, all countries in scope are still far behind. The Netherlands is doing slightly better by being somewhat on their way to GDPR-compliance. “The Dutch are pragmatic in their adoption of regulations and also see privacy aware consumer services as an opportunity,” states Maarten Stultjens, Vice President at iWelcome. “iWelcome, founded in the heart of a privacy-aware culture, is globally recognised for unparalleled Consent Management technology.” The country with the lowest GDPR-compliance score is Switzerland, where consent is rarely demanded and very basic privacy statements are in use.
Differences per industry
Taking a look at the GDPR-compliance score per industry, significant differences have been noted. Non-Profit scored very low on GDPR-compliance, whereas Retail/E-tail & Consumer Products and Media & Publishing scored significantly better. More specifically, this goes for asking consent for the use of personal data. Non-Profit organisations again scored lowest on consent and Retail/E-tail & Consumer Products scored better.
Consent for use of data
Under GDPR, data controllers (i.e. organisations offering consumer services) need to ask for the customer’s consent for the use of additional data (data not strictly needed to perform the service). The purpose of use should be specified and crystal clear. The UK scored relatively better on consent. “Overall, firms do not apply a straightforward way to ask for the customer’s consent. The purpose of use is hardly mentioned and never mentioned on a granular level (specified per attribute), as should according to the GDPR. One of the few data controllers in our research that did apply a purpose specification per attribute was the BBC. Companies face a major challenge to become fully compliant, especially when it comes to asking for and registration of consent,” says Maarten Stultjens.
Access to data
Another remarkable outcome is that data controllers located in the UK, charge their customers an administrative fee to execute the right of access to their data: 54 percent of the investigated firms in the UK charge their customers. This is not GDPR-compliant, but it is in line with the current UK regulation. Data controllers have to provide this customer right free of charge before the GDPR will be in force. Another aspect that only 11.2 percent of all firms address, is the data retention period. Plenty of firms mention that they store your data ‘as long as needed to fulfil the purpose’, yet do not actually mention for what period of time data will be stored, nor do they specify it per category of data.
“Based on our research we conclude that European firms are by far not ready for the GDPR. Firms need to be more transparent in their communication with customers when it comes to personal data. Just 20 percent of all firms have implemented some GDPR requirements. By May 25th all these companies need to be 100 percent compliant to prevent tremendous fines, but even more important to build trusted relationships with European citizens. “Leaders in the market see the strategic value of building customer intimacy in a way where the privacy of these customers is respected. iWelcome provides the platform to become and remain compliant and build trusted customer journeys at scale,” concludes Maarten Stultjens.
About the research
iWelcome’s research is being conducted during the period towards May 25th, from a consumer’s perspective, by registering online. Whenever the registration process doesn’t provide clear findings, the organisation’s privacy policies are being checked.
Due to the nature of the research, only the variables that are relevant for customer interaction have been tested. Underlying arrangements within organisations (for example designating a Data Protection Officer) have not been measured. The ongoing research will monitor the state of compliance of European organisations every two months.