The Million Euro GDPR Question: to what extent will EU consumers exercise their rights?

To what extent do EU consumers intend to exercise the rights they have under the General Data Protection Regulation (GDPR) when the GDPR compliance deadline of May 25th is here?

Among the many rights EU consumers have under the GDPR, consumers see the right to access as the most essential one. (Pega, January 2018)

It’s a major question for organizations trying to get compliant with the General Data Protection Regulation for several reasons. For starters, many of the duties which data controllers and data processors have to fulfil in the scope of data subject rights – and thus the necessary steps to make it all possible – are about responding to requests from data subjects (people – or consumers – protected by the GDPR personal data protection and privacy stipulations).

Secondly, although GDPR fines aren’t the first thing to focus on when preparing your journey towards GDPR compliance, which starts with GDPR awareness, the administrative fine mechanisms and guidelines regarding their application do explicitly mention data subject rights and the degree in which they can be exercised (which includes an organization’s technical and organizational measures to enable so, the willingness to do so, the types of data processing activities and nature of personal data involved, with a focus on sensitive data and more risky processing activities, and much more).

EU consumer GDPR attitudes - eager to exercise their rights

Expectations regarding EU consumer requests in the scope of GDPR rights

And obviously, from the perspective of the organization there is also the matter of costs. There are ample solutions in the market, enabling data subjects to exercise their rights including data subject access rights portals which we intend to use since GDPR goes for small businesses too.

However, solutions alone don’t cut it and whether you plan the usage of a data subject access rights portal in your strategic GDPR plan or not: dealing with a request in the scope of exercising data subject rights simply takes tools, time and investment.

So, the question is important on various levels and in reality only future can tell. As mentioned in a previous post for the moment in many EU countries there isn’t too much attention for the GDPR in general media, let alone business media.

82% of European consumers intend to exercise their GDPR rights to view, limit, or erase the information which businesses collect about them (Pega, January 2018)

Some governments and supervisory authorities have also been more active in creating awareness about GDPR among the broader population (and businesses too) than others. So, when the question regarding the degree in which data subjects will ask to exercise their rights comes up, you can get very different answers per country.

However, you can bet that, as is often the case with media and, let’s face it, with many government bodies, awareness efforts and attention for the GDPR will go up as the compliance deadline approaches (as tends to happen with other ‘newsworthy’ events too).

Moreover, consumers aren’t stupid. They increasingly do get mails from the companies they work with, from traditional businesses to the owners of the digital and social tools they use, saying that all sorts of policies are changing for a reason, namely GDPR.

Simply put: we wouldn’t bet on those who say that consumers won’t leverage their data subject rights too much.

EU consumers, despite not knowing the extent of the GDPR and the very existence of the Regulation as such are eager to leverage data subject rights

In fact, according to a press release we got on January 4th about a survey by Pega, EU consumers are eager to determine what companies can and can’t do with their personal data.

A whopping 82 percent of EU consumers would intend to take advantage of their rights including the right to know what personal data organizations have about them, to see those data, to restrict processing under the conditions the GDPR foresees and/or to erase data, a.k.a. the right to erasure.

As pretty much everyone in ‘the industry’ knows and Pega emphasizes, most organizations aren’t able to know and trace where personal data sits (from name and phone number to buying history, online activity or real-time location to mention just some of the many personal data identifiers that are processed by various divisions), let alone know where sensitive data sits. Information silos once again get explicitly mentioned.

While the GDPR offers a chance to organizations to once and for all try to solve those information silo challenges, realizing it in practice turns out to be a headache, as is the adaption of the information technology infrastructure in order to respond to GDPR-related consumer demands. And we even haven’t touched upon the consent-related data subject rights where consent is chosen as a legal basis for lawful processing and having gained consent among others needs to be proven (with special rules for explicit consent). The mentioned rights in the 82% number of Pega are indeed essential data subject rights.

Most consumers will eagerly make use of their GDPR rights to gain more supervision regarding personal data that companies store and process about them (Derk-Jan Brand, Managing Director Pegasystems, Benelux & Nordics)

Pega does emphasize that many over the 7,000 consumers it surveyed in 7 EU countries don’t exactly know yet what the rights they have under the GDPR mean.

While, as said, that awareness among consumers can only grow, the survey found that, despite not knowing the what and how of GDPR and GDPR rights too much in detail, 90 percent of consumers want a direct control over the way businesses use their personal data and 89 percent want to see the personal data that organizations have/process about them.

Taking into account what we mentioned earlier, it’s not surprising that only 21 percent of consumers know what the GDPR is or what they can do under the regulation. That leads Pega to conclude that once consumers are largely conscious about them, as is poised to happen, the exercise of data subject rights is bound to, well, be significant at the very least and indeed potentially massive.

If that scenario is indeed what can be expected then that’s not the kind of situation you want to be in if you have put the proper mechanisms and measures in place by May 25th.

Derk-Jan Brand, Managing Director Pegasystems, Benelux & Nordics states that from the research you can indeed conclude that most consumers will eagerly make use of their right to more supervision of data that companies store about them.

However, while the prospect of massive requests for information can lead to panic in some companies, smart companies view GDPR as an excellent opportunity. With the right GDPR strategy, they can sustain their future success, offering a better customer experience with the same infrastructure needed for GDPR compliance, he reminds.

Truism indeed. But now getting it done and by the looks of it not the first priority for loads of organizations still figuring out how to do it in practice. If Pega is right king customer will not wait.

Source (Dutch):

Top image: Shutterstock – Copyright: – All other images are the property of their respective mentioned owners. Although the content of this article is thoroughly checked we are not liable for potential mistakes and advice you to seek assistance in preparing for GDPR.