Public sector organisations are taking significantly longer than stipulated by the General Data Protection Regulation (GDPR) to respond to requests from individuals about the information held about them.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
Research reveals public sector organisations have a lot of work to do if they are to avoid heavy fines for failing to respond to subject access requests (SARs) in the legal timeframe. Anyone can make an SAR to find out what information an organisation holds about them.
During the research, one public sector organisation even made an error and sent information about the wrong person to researchers, while another took almost a year to respond to a SAR.
The test was run by automation software company Bluesource, which made subject access requests to 30 public sector organisations – including the Bank of England, London Fire Brigade, the Metropolitan Police, HM Treasury, Bexley London Borough Council and the Crown Prosecution Service (CPS).
The vast majority (84%) of those organisations took significantly longer to respond to SARs than the 30 days they will have to respond once GDPR becomes law on 25 May 2018. Researchers had to wait for 351 days for a response to one of the SARs they submitted.
Organisations risk substantial fines if they fail to comply with the rules of GDPR.
Part of the problem is the growing volume of requests being submitted, with SARs having risen by 138% over the past three years for the 30 organisations surveyed. Despite the increase, Bluesource found that less than a third of the organisations had dedicated members of staff to deal with SARs.
On the bright side, according to the study, 16% of organisations were better prepared to meet GDPR’s SAR response time, which is currently 40 days but will drop to 30 days in May.
Bluesource ranked organisations on their performance based on requests for the year 2016-2017.
The government organisations found to require the greatest improvement were the Metropolitan Police, Bexley London Borough Council and the Crown Prosecution Service.
Of 3,935 requests made to the Metropolitan Police, 1,058 were processed outside the current 40-day time limit. The CPS received 251 requests, with 89 taking longer than 40 days to respond to. Bexley London Borough Council failed to respond in time on 52 occasions.
Bexley is not alone. A recent survey by the Information Commissioner’s Office (ICO) revealed that many local councils still have work to do to become compliant with the EU General Data Protection Regulation.
The Bank of England and the London Fire Brigade were also listed as needing to improve response times.
The Care Quality Commission was the best performing public sector organisation when it came to responding to SARs, taking an average of 16.1 days to respond.
“Our research demonstrates that more people are taking an interest in how their information is processed, stored and shared. Unfortunately, many major public sector organisations are currently failing to address the influx of SARs and to ensure that they are GDPR-compliant after May 2018,” said Andrew North, commercial director at Bluesource.
“Clearly, swift improvement is required by these organisations. To avoid fines, they need to put strict data policies in place, ensure staff are appropriately trained and employ the correct data management and discovery technologies too.”