2. 33
GDRP BENCHMARK PARAMETERS
103
Companies
In the panel
Rights for Data
Access &
Portability
Worldwide study
Financial
Services
24%
Travel,
Transport,
Hospitability
24%
Retail &
consumer
goods
24%
Media,
Telco,
Utilities
28%
Europe
70%
APAC 11%
NORAM 19%
Regions Sectors
3. 44
GDPR BENCHMARK - BACKGROUND
GDPR: The General Data Protection Regulation is a regulation in EU law on data protection and privacy for all individuals
within the European Union. The regulation, which sets a new standard for consumer rights regarding their data, came into
effect on May 25, 2018. The governing body is expected to levy significant fines to companies that do not comply with the
new regulations.
Market Compliance Research: Talend, a leader in data integration and management software, conducted market research
to assess companies’ ability to comply with the new GDPR regulation. The analysis involved the following:
• Assessing whether or not companies had updated their privacy policies to account for GDPR
• Researching whether or not companies had dedicated ways for consumers to request GDPR data (i.e., the personal
information the company has on them)
• Requesting GDPR data and assessing how quickly and thoroughly companies comply
• Requesting GDPR data in a way that may be directly accessed and reused by the individual (data portability)
The research involved 103 GDPR-relevant companies across the globe (EU companies or companies based in the U.S. or
APAC that conduct business in Europe) from a range of industries (Retail, High-Tech, Media, Transport/Travel/Hospitality,
Utilities/Telco, Public Sector, Finance)
4. 55
SURVEY HIGHLIGHTS
Policies are defined…
98%HAVE UPDATED THEIR
PRIVACY POLICIES FOR
GDPR
70%FAILED TO PROVIDE THE
DATA REQUESTED
IN 30 DAYS !
21 days
AVG TIME IT TOOK
COMPLIANT COMPANIES
TO RESPOND
But are not enforced… or poorly delivered
5. 66
GDPR COMPLIANCE - REGIONAL BREAKDOWN
Almost
90%
FRENCH AND SOUTHERN
EUROPEAN COMPANIES
HAD THE HIGHEST FAILURE
RATE OF ANY REGION
35%
OF EUROPEAN
COMPANIES PASSED
50%OF NON-EUROPEAN
COMPANIES PASSED
EU-based companies were less likely to comply
to GDPR than companies outside the EU
Vs
6. 77
GDPR COMPLIANCE - INDUSTRY BREAKDOWN
47% TRAVEL/TRANSPORTATION HOSPITALITY
24% RETAILERS
50% FINANCIAL SERVICES
COMPLIANCE
FAILURE
WHILE MOST INDUSTRIES ARE DOING A POOR
JOB OF COMPLYING TO GDPR, RETAILERS ARE BY
FAR THE WORST OFFENDERS
40% MEDIA/TELCO/UTILITIES
7. 88
GDPR COMPLIANCE – COMPLIANT COMPANIES
30%PROVIDED GDPR
DATA UPON
REQUEST
WITHIN 30 DAYS
21THE AVG NUMBER OF DAYS
IT TOOK COMPLIANT
COMPANIES TO RESPOND
6%THE PERCENTAGE OF
COMPLIANT COMPANIES
THAT ASKED FOR AN
EXTENSION* TO COMPLY
*Allowed under article 12.3 of GDPR
22%THE PERCENTAGE OF
COMPANIES THAT
RESPONDED IN A 24HRS
65%THE PERCENTAGE OF
COMPANIES THAT
ANSWERED IN 10+ DAYS
8. 99
ADDITIONAL
EXPERIENCES
• 7% of companies mistakenly assumed we were asking
to be forgotten (half of them were hospitality leaders)
• 4 companies actually deleted our account and data
without notice
• Some companies asked for a range of personal data
before beginning our request (ID, loyalty number,
birthday, data of transactions…) and then still didn’t
comply
• Virtually every company failed to fulfill our request for
data portability
• 4 companies asked “what do you mean by personal
data”?
• A leading global firm in the financial sector fulfilled our
request by sharing the data they held on us through
printed pages that they physically delivered through a
secure mail courier.
• Only a few delivered a 1-click memorable customer
experience, including Spotify (Sweden), N26 (Germany),
Garmin (US), and Next (Germany). They offered a clear
explanation of their usage of our personal data, direct
access to our data via a portal, and data portability.
9. 1010
THE ROAD TO
COMPLIANCE:
WHY DO
COMPANIES FAIL?
• The majority of companies do not
adequately track personal information
• Lack accountability
• Absence of Data Privacy Owner (DPO)
• No department clearly appointed to answer
requests
• Lack data control and visibility
• Can’t identify customers: some companies
have requested personal data in order to start
processing the requests
• Can’t locate data or deleted data
• Provided incomplete data sets (siloed data)
• Lack proper processes or tools
• Need for human data integrators
• Companies are overwhelmed: fail to deliver
after the extension with article 12.3
10. 1111
OUR KEY TAKE AWAYS
GDPR is seen as a
legal project and not
as a driver for better
customer experience,
Engagement, and
trust
LEGAL VS
CUSTOMER
How organizations
empower data
workers towards
GDPR and the
importance of having
a data owner or
controller
DATA CULTURE/
DATA OWNERSHIP
Customers data is
siloed and the
majority of
companies do not
know their customers
CUSTOMER
360°
Organizations do not
have automated
processes: GDPR is
not a one-click
process (human data
integrator)
AUTOMATION