The Information Commissioner’s Office has warned organisations that failure to honour data access requests made by customers or failing to do so within mandated timelines could expose them to criminal prosecution under GDPR.
In January, a report from cloud data integration solutions provider Talend revealed that as many as 74 percent of UK-based organisations were unable to honour data access requests as mandated by GDPR, even though over six months had passed since the new data protection law came into effect in Europe.
The report added that only 17 percent of organisations were able to honour data access requests from their customers within the mandated 30-day timeline, while 9 percent of them were honouring such requests but were failing to do so either completely or within the required timeline.
“A delay, or complete lack of a response, will only continue to damage free-falling consumer trust in how organisations store and organise their data. What’s more, the world is on tenterhooks waiting for the first major fine to be enforced for a breach of the GDPR,” said Jean-Michel Franco, Senior Director of Data Governance Products at Talend.
“After all, consumers are now feeling more empowered to put companies and regulators under pressure to ensure that their rights are respected, whether through individual complaints or group action, as we’ve seen recently with a huge spike in reports to the ICO (up by 160 per cent) and class action by 45,000 European citizens driven by three associations including Privacy International,” he added.
ICO reads the riot act to firms flouting GDPR
The Information Commissioner’s Office has not taken kindly to the open flouting of GDPR by a majority of organisations that process customer data, stating recently that failure to honour data access requests within thirty days could expose organisations to criminal prosecution.
“The right to access your own personal information is a fundamental and long-standing principle of data protection law. New laws brought into effect last May strengthen those rights even further.
“Organisations not only have to respect this right but must also respect notices from the ICO enforcing the law. If they fail to do so then they must accept the consequences, which can include a criminal prosecution,” said Mike Shaw, Criminal Enforcement Manager at the ICO.
Last Thursday, Westminster Magistrates fined housing developer Magnacrest Ltd nearly £1,500, including prosecution costs, victim surcharge, and monetary penalty, for not honouring a subject access request in April last year and also ignoring an enforcement notice issued by the ICO. The fines were imposed under the Data Protection Act, 1998 as the offense took place prior to the arrival of GDPR.