Guardum DPOsDSARs and the impact of COVID-19May 2020

Project overview and methodology

• The survey was conducted among 100 UK DSAR managers in organisations of 250 employees or more

• At an overall level results are accurate to ± 9.8% at 95% confidence limits assuming a result of 50%.

• The interviews were conducted online by Sapio Research during 29th

April to the 5th May 2020 using an email invitation and an online survey.

Summary and Overview

1

2

3

4

DSAR managers want more resources – On average just over half of DSARs are completed within 30 days, with an average cost of £4884.53. Almost half said if given the opportunity, they would invest to automate the process to reduce time and effort, 40% would increase the 30 day timeframe for standard compliance.

Organisations are grappling with data privacy regulation – Almost half have difficulty in obtaining data from multiple departments when attempting to fulfill privacy regulations. The most common concern for DSAR managers around privacy is being fined due to non-compliance. 29% also believe data compliance is trumping commercial interests at senior levels in their organisations.

DSAR managers are divided on opinions around privacy – A combined 40% believe that there is a trade off to be made between the collective good and an individuals right to data privacy. Though a quarter are strong advocates of an individual’s right to transparent access to data.

Lockdown has the potential to cause DSAR managers a headache – 75% are already having some difficulty meeting data compliance obligations during the lockdown with 30% expecting a massive increase in DSAR requests post-Covid return to work.

Key stats

An average 28 DSAR requests are received a month

33% - DSARs that come through legal representation

48% of DSARs take

longer than 30 days to complete

30% of a DSAR

managers time is taken up responding

to DSARs

Just 6% think that the

COVID-19 pandemic will lead to an unqualified

acceptance of less data privacy amongst the

public

63% - The process of handling DSARs

incorporates both manual and automated processes

Main Findings

:

An average 28 DSAR requests are received a month by UK DSAR managers

Q1. How many DSAR requests do you receive in an average month?

9%

30%

46%

15%

1 – 5 6 – 20 21 – 50 More than 50

Mean: 28.1

Base: 100

Highest for 5000+ employee companies (36.5)

Lowest for primarily B2B organisations (17.5)

:

48% of DSAR requests originate from customers, 46% from employees or contractors33% overall come through legal representation

Q2. What percentage of the requests you receive are from:

31%

30%

18%

15%

5%

Employees/ex-employees orcontractors

Customers

Legal representativesrepresenting customers

Legal representativesrepresenting ex-employees

Somewhere else

Base: 100

33% from legal representatives

Customers total: 48%

Employees total: 46%

:

Just over half (52%) of DSARs have been completed within the standard 30 days in the last 12 months

Q3. What percentage of your organisation’s DSARs have been completed in the following timeframes in the last 12 months?

52%

31%

17%

Up to 30 days 31 – 60 days More than 60 days

Base: 100

48% go beyond the 30 day timeframe for standard DSAR

:

The average cost for completing a DSAR is £4884.53

Q4. What is the average cost for completing a DSAR (including both normal and complex requests)?

28%

41%

24%

7%

Up to £2,999 £3,000 – £5,999 £6,000 – £9,999 £10,000+

Base: 100

Mean: £4884.53

• Spending increases as company size increases

Employee no.

250-999 1000-4,999 5000+

Mean £3970.93 £4536.1 £6812.13

:

On average it takes 83 working hours to complete a DSAR

Q5. How many working hours does the average DSAR require to complete?

37%

41%

16%

6%

0-50 working hours 51-100 working hours 101-250 working hours More than 250 working hours

Base: 100

Mean: 83 hours

Top for company sizes 250-999 (49%)

• Time spent goes up as company size increases

Employee no.

250-999 1000-4,999 5000+

Mean 60 hrs 73 hrs 136 hrs

:

On a typical day, on average 30% of a DSAR managers time is taken up responding to DSARs

Q6. In a typical day what percentage of your time is taken up responding to DSARs?

18%

29%

41%

7%5%

0-10% 11-25% 26-50% 51-75% Over 75%

Base: 100

Mean: 29.86%

:

The process of handling DSARs incorporates both manual and automated work for 63%

Q7. Is your process of handling DSARs...?

Both63%

Manual20% Automated

17%

Base: 100

:

Almost half (48%) claim difficulty in obtaining data from multiple departments is one of the biggest challenges in fulfilling DSAR regulations

Q8. What are the biggest challenges you face in fulfilling the regulations associated with DSARs?

48%

40%

40%

37%

33%

33%

1%

Difficulty in obtaining data from multipledepartments

Difficulty in obtaining data held in both digital andpaper formats

Judging which data should be categorised as personaldata

Difficulty/time involved in redacting PII of others

Lack of sufficient resources i.e. people and budget tocomplete requests internally

Difficulty in obtaining data stored both on-premiseand in-the cloud

Other

Base: 100

Top for company sizes 250-999 (51%)

:

Almost half (45%), if they could, would immediately invest to automate the process to reduce amount of time and effort required. Two fifths (40%) would increase the 30-day timeframe for DSAR response

Q9. If you could wave a magic wand, which of the following would you change/invest in immediately?

45%

40%

32%

29%

22%

Automate the process to reduce theamount of time and effort required

Increase the 30-day timeframe for DSARresponse

Get more resources i.e. people/budget

Have less ambiguity and areas forinterpretation in the way the GDPR is

written

Have greater autonomy and visibility atboard level

Base: 100

:

29% of workers’ biggest concern about how their organisation handles data privacy is the chances of receiving a fine by the ICO due to non-compliance. 29% believe their bosses biggest concern is the prioritization of data compliance by board level directors over commercial interests

Q10a. What is your biggest concern about how your organisation handles data privacy?Q10b. What is your bosses biggest concern about how your organisation handles data privacy?

29%

28%

23%

20%

24%

26%

29%

21%

The likelihood of receiving a fineby the ICO as a result of non-

compliance

The longer-term impact on your business’s reputation in the event

of a fine for mishandling the public’s personal data

Prioritisation of data complianceby board level directors over

commercial interests

The ability of your team to handlea major influx of DSARs in the

event of a data breach

Your biggest concern Your bosses biggest concern

Base: 100

Top for DSAR managers

Top for bosses

:

47% are extremely confident they can gain co-operation across the business to complete DSARs

Q11. How confident are you about your companies’ ability to do the following?

47%

42%

42%

39%

39%

37%

Gain the cooperation across the business to complete DSARs

Provide 100% of the data relating to the individuals request

Avoid an ICO fine for non-compliance

Provide comprehensive details on third parties that have access to an individual’s data

Complete the DSAR within the 30-day timeframe

Redact all data related to others in your DSAR response

How confident are you regarding your companies’ ability to:

Extremely confident

Base: 100

:

Over a quarter believe they are a strong advocate of an individual’s right to transparent access to data held by businesses and governments (27%)A combined 40% believe that there is a trade off between the collective good and an individuals right to data privacy

Q12. Which of the following statements best describe your own personal attitudes to data privacy?

27%

23%

17%

17%

16%

I am a strong advocate of an individual’s right to transparent access to data held by businesses and

governments

I think that an employer has the right to collect and use an individual’s data such as buying, geographical movement, tastes/interest if it is for the greater national good e.g. for

health or anti-terrorist purposes

I think the rights of the individual to data privacy need to be balanced against society’s greater good

I believe that an individual’s online behaviour e.g. buying, geographical movement, tastes/interests belong

exclusively to the individual

It’s OK to capture and resell an individual’s data provided they have given their permission to do so

Base: 100

40%

:

Just 6% think that the COVID-19 pandemic will lead to an unqualified acceptance of less data privacyWith two-thirds (65%) thinking public attitudes will either revert back to where they were prior to the pandemic or actually be demanding of greater privacy and transparency

Q13. Do you think that the public’s attitudes to data privacy will change after the Covid-19 pandemic is over?

6%

29%

35%

30%

There will be an unqualifiedwillingness to accept much less

data privacy

There will be a willingness toaccept much less data privacy but

only if transparency is assured

Data privacy attitudes after the pandemic won’t be different from those held before the pandemic

There will be a demand forgreater data privacy and greater

transparency

65%

Base: 100

Accepting less privacyDemanding more or the same level of privacy

Top for company sizes 5000+ (41%)

:

75% are having difficulty meeting data compliance obligations during the lockdown

Q14. How effectively are you able to meet your data compliance obligations during the lockdown?

25%

72%

3%

With ease Partially, but there will be a backlog when wereturn to the office

Not at all and we expect a mountain of DSARsto complete on our return to the office

Base: 100

:

30% are expecting a massive increase in DSAR requests post-Covid return to work

Q15. In the six months after the Post-Covid return to work do you think you will see a change in overall volume of DSAR requests compared to before the pandemic?

30%

55%

15%

A massive increase in DSAR requests A similar number of DSAR requests A drop in the number of DSAR requests

Base: 100

IncreaseNo changeDecrease

:

73% of those who are expecting a massive increase in requests, believe DSAR requests from furloughed or laid off employees during the pandemic will be a big contributor (73%)

Q16. To what extent will DSAR requests from disgruntled employees who were furloughed or laid off during the pandemic contribute to this increase?

20%

53%

27%

The single, biggest contributingfactor

As big a factor as any Somewhere in the middle

Base: 30

Only asked if expecting a massive increase in DSAR requests

73% big factor

:

3 in 5 (61%) do not have total confidence that they will have the resources to comply with an increase in DSARs post-pandemic

Q17. How confident are you in the event of a significant increase in DSARs post-pandemic that you will have the resources to comply with them within the 30-day period?

39%

51%

10%

Extremely confident Moderately confident Not confident

Base: 100

61%

Demographics

:

Industry

Q18. Which of the following best describes your organisation’s primary area of activity?

23%

16%

11%

10%

9%

7%

6%

5%

3%

3%

3%

2%

1%

1%

IT and technology

Retail, leisure and hospitality

Manufacturing/production & Engineering

Construction

Banking, Insurance, Finance and Accounting

Education

Healthcare, including pharmaceuticals and…

Transport

Business Services

Local authority & Public sector

Other

Telecommunications & Utilities

Childcare

Wholesale

Base: 100

:

Age

Q19. Which age band do you fall in?

7%

33% 34%

17%

9%

18 – 24 25 – 34 35 – 44 45 – 54 55 – 64

Base: 100

:

Gender

Q20. Are you..?

73%

27%

Male

Female

Base: 100

:

Job role

Q21. Which of the below most closely represents your job role?

44%

22%

34%

C - Level

Director

Manager

Base: 100

:

B2B/B2C

Q22. Do you work for an organisation that deals with consumers or businesses / organisations?

35%

25%

40%

Primarily consumers

Primarily businesses /organisations

Equal mix of both

Base: 100

:

Employer size

S1. Counting all locations where your employer operates, what is the total number of persons who work there?

14%

21%

41%

11%13%

250-499 501-999 1000-4,999 5000-9,999 10,000+

Base: 100