guardum dpos€¦ · data privacy there will be a willingness to accept much less data privacy but...
TRANSCRIPT
Guardum DPOsDSARs and the impact of COVID-19May 2020
Project overview and methodology
• The survey was conducted among 100 UK DSAR managers in organisations of 250 employees or more
• At an overall level results are accurate to ± 9.8% at 95% confidence limits assuming a result of 50%.
• The interviews were conducted online by Sapio Research during 29th
April to the 5th May 2020 using an email invitation and an online survey.
Summary and Overview
1
2
3
4
DSAR managers want more resources – On average just over half of DSARs are completed within 30 days, with an average cost of £4884.53. Almost half said if given the opportunity, they would invest to automate the process to reduce time and effort, 40% would increase the 30 day timeframe for standard compliance.
Organisations are grappling with data privacy regulation – Almost half have difficulty in obtaining data from multiple departments when attempting to fulfill privacy regulations. The most common concern for DSAR managers around privacy is being fined due to non-compliance. 29% also believe data compliance is trumping commercial interests at senior levels in their organisations.
DSAR managers are divided on opinions around privacy – A combined 40% believe that there is a trade off to be made between the collective good and an individuals right to data privacy. Though a quarter are strong advocates of an individual’s right to transparent access to data.
Lockdown has the potential to cause DSAR managers a headache – 75% are already having some difficulty meeting data compliance obligations during the lockdown with 30% expecting a massive increase in DSAR requests post-Covid return to work.
Key stats
An average 28 DSAR requests are received a month
33% - DSARs that come through legal representation
48% of DSARs take
longer than 30 days to complete
30% of a DSAR
managers time is taken up responding
to DSARs
Just 6% think that the
COVID-19 pandemic will lead to an unqualified
acceptance of less data privacy amongst the
public
63% - The process of handling DSARs
incorporates both manual and automated processes
Main Findings
:
An average 28 DSAR requests are received a month by UK DSAR managers
Q1. How many DSAR requests do you receive in an average month?
9%
30%
46%
15%
1 – 5 6 – 20 21 – 50 More than 50
Mean: 28.1
Base: 100
Highest for 5000+ employee companies (36.5)
Lowest for primarily B2B organisations (17.5)
:
48% of DSAR requests originate from customers, 46% from employees or contractors33% overall come through legal representation
Q2. What percentage of the requests you receive are from:
31%
30%
18%
15%
5%
Employees/ex-employees orcontractors
Customers
Legal representativesrepresenting customers
Legal representativesrepresenting ex-employees
Somewhere else
Base: 100
33% from legal representatives
Customers total: 48%
Employees total: 46%
:
Just over half (52%) of DSARs have been completed within the standard 30 days in the last 12 months
Q3. What percentage of your organisation’s DSARs have been completed in the following timeframes in the last 12 months?
52%
31%
17%
Up to 30 days 31 – 60 days More than 60 days
Base: 100
48% go beyond the 30 day timeframe for standard DSAR
:
The average cost for completing a DSAR is £4884.53
Q4. What is the average cost for completing a DSAR (including both normal and complex requests)?
28%
41%
24%
7%
Up to £2,999 £3,000 – £5,999 £6,000 – £9,999 £10,000+
Base: 100
Mean: £4884.53
• Spending increases as company size increases
Employee no.
250-999 1000-4,999 5000+
Mean £3970.93 £4536.1 £6812.13
:
On average it takes 83 working hours to complete a DSAR
Q5. How many working hours does the average DSAR require to complete?
37%
41%
16%
6%
0-50 working hours 51-100 working hours 101-250 working hours More than 250 working hours
Base: 100
Mean: 83 hours
Top for company sizes 250-999 (49%)
• Time spent goes up as company size increases
Employee no.
250-999 1000-4,999 5000+
Mean 60 hrs 73 hrs 136 hrs
:
On a typical day, on average 30% of a DSAR managers time is taken up responding to DSARs
Q6. In a typical day what percentage of your time is taken up responding to DSARs?
18%
29%
41%
7%5%
0-10% 11-25% 26-50% 51-75% Over 75%
Base: 100
Mean: 29.86%
:
The process of handling DSARs incorporates both manual and automated work for 63%
Q7. Is your process of handling DSARs...?
Both63%
Manual20% Automated
17%
Base: 100
:
Almost half (48%) claim difficulty in obtaining data from multiple departments is one of the biggest challenges in fulfilling DSAR regulations
Q8. What are the biggest challenges you face in fulfilling the regulations associated with DSARs?
48%
40%
40%
37%
33%
33%
1%
Difficulty in obtaining data from multipledepartments
Difficulty in obtaining data held in both digital andpaper formats
Judging which data should be categorised as personaldata
Difficulty/time involved in redacting PII of others
Lack of sufficient resources i.e. people and budget tocomplete requests internally
Difficulty in obtaining data stored both on-premiseand in-the cloud
Other
Base: 100
Top for company sizes 250-999 (51%)
:
Almost half (45%), if they could, would immediately invest to automate the process to reduce amount of time and effort required. Two fifths (40%) would increase the 30-day timeframe for DSAR response
Q9. If you could wave a magic wand, which of the following would you change/invest in immediately?
45%
40%
32%
29%
22%
Automate the process to reduce theamount of time and effort required
Increase the 30-day timeframe for DSARresponse
Get more resources i.e. people/budget
Have less ambiguity and areas forinterpretation in the way the GDPR is
written
Have greater autonomy and visibility atboard level
Base: 100
:
29% of workers’ biggest concern about how their organisation handles data privacy is the chances of receiving a fine by the ICO due to non-compliance. 29% believe their bosses biggest concern is the prioritization of data compliance by board level directors over commercial interests
Q10a. What is your biggest concern about how your organisation handles data privacy?Q10b. What is your bosses biggest concern about how your organisation handles data privacy?
29%
28%
23%
20%
24%
26%
29%
21%
The likelihood of receiving a fineby the ICO as a result of non-
compliance
The longer-term impact on your business’s reputation in the event
of a fine for mishandling the public’s personal data
Prioritisation of data complianceby board level directors over
commercial interests
The ability of your team to handlea major influx of DSARs in the
event of a data breach
Your biggest concern Your bosses biggest concern
Base: 100
Top for DSAR managers
Top for bosses
:
47% are extremely confident they can gain co-operation across the business to complete DSARs
Q11. How confident are you about your companies’ ability to do the following?
47%
42%
42%
39%
39%
37%
Gain the cooperation across the business to complete DSARs
Provide 100% of the data relating to the individuals request
Avoid an ICO fine for non-compliance
Provide comprehensive details on third parties that have access to an individual’s data
Complete the DSAR within the 30-day timeframe
Redact all data related to others in your DSAR response
How confident are you regarding your companies’ ability to:
Extremely confident
Base: 100
:
Over a quarter believe they are a strong advocate of an individual’s right to transparent access to data held by businesses and governments (27%)A combined 40% believe that there is a trade off between the collective good and an individuals right to data privacy
Q12. Which of the following statements best describe your own personal attitudes to data privacy?
27%
23%
17%
17%
16%
I am a strong advocate of an individual’s right to transparent access to data held by businesses and
governments
I think that an employer has the right to collect and use an individual’s data such as buying, geographical movement, tastes/interest if it is for the greater national good e.g. for
health or anti-terrorist purposes
I think the rights of the individual to data privacy need to be balanced against society’s greater good
I believe that an individual’s online behaviour e.g. buying, geographical movement, tastes/interests belong
exclusively to the individual
It’s OK to capture and resell an individual’s data provided they have given their permission to do so
Base: 100
40%
:
Just 6% think that the COVID-19 pandemic will lead to an unqualified acceptance of less data privacyWith two-thirds (65%) thinking public attitudes will either revert back to where they were prior to the pandemic or actually be demanding of greater privacy and transparency
Q13. Do you think that the public’s attitudes to data privacy will change after the Covid-19 pandemic is over?
6%
29%
35%
30%
There will be an unqualifiedwillingness to accept much less
data privacy
There will be a willingness toaccept much less data privacy but
only if transparency is assured
Data privacy attitudes after the pandemic won’t be different from those held before the pandemic
There will be a demand forgreater data privacy and greater
transparency
65%
Base: 100
Accepting less privacyDemanding more or the same level of privacy
Top for company sizes 5000+ (41%)
:
75% are having difficulty meeting data compliance obligations during the lockdown
Q14. How effectively are you able to meet your data compliance obligations during the lockdown?
25%
72%
3%
With ease Partially, but there will be a backlog when wereturn to the office
Not at all and we expect a mountain of DSARsto complete on our return to the office
Base: 100
:
30% are expecting a massive increase in DSAR requests post-Covid return to work
Q15. In the six months after the Post-Covid return to work do you think you will see a change in overall volume of DSAR requests compared to before the pandemic?
30%
55%
15%
A massive increase in DSAR requests A similar number of DSAR requests A drop in the number of DSAR requests
Base: 100
IncreaseNo changeDecrease
:
73% of those who are expecting a massive increase in requests, believe DSAR requests from furloughed or laid off employees during the pandemic will be a big contributor (73%)
Q16. To what extent will DSAR requests from disgruntled employees who were furloughed or laid off during the pandemic contribute to this increase?
20%
53%
27%
The single, biggest contributingfactor
As big a factor as any Somewhere in the middle
Base: 30
Only asked if expecting a massive increase in DSAR requests
73% big factor
:
3 in 5 (61%) do not have total confidence that they will have the resources to comply with an increase in DSARs post-pandemic
Q17. How confident are you in the event of a significant increase in DSARs post-pandemic that you will have the resources to comply with them within the 30-day period?
39%
51%
10%
Extremely confident Moderately confident Not confident
Base: 100
61%
Demographics
:
Industry
Q18. Which of the following best describes your organisation’s primary area of activity?
23%
16%
11%
10%
9%
7%
6%
5%
3%
3%
3%
2%
1%
1%
IT and technology
Retail, leisure and hospitality
Manufacturing/production & Engineering
Construction
Banking, Insurance, Finance and Accounting
Education
Healthcare, including pharmaceuticals and…
Transport
Business Services
Local authority & Public sector
Other
Telecommunications & Utilities
Childcare
Wholesale
Base: 100
:
Age
Q19. Which age band do you fall in?
7%
33% 34%
17%
9%
18 – 24 25 – 34 35 – 44 45 – 54 55 – 64
Base: 100
:
Gender
Q20. Are you..?
73%
27%
Male
Female
Base: 100
:
Job role
Q21. Which of the below most closely represents your job role?
44%
22%
34%
C - Level
Director
Manager
Base: 100
:
B2B/B2C
Q22. Do you work for an organisation that deals with consumers or businesses / organisations?
35%
25%
40%
Primarily consumers
Primarily businesses /organisations
Equal mix of both
Base: 100
:
Employer size
S1. Counting all locations where your employer operates, what is the total number of persons who work there?
14%
21%
41%
11%13%
250-499 501-999 1000-4,999 5000-9,999 10,000+
Base: 100