Do your employees know their rights?

One of the fundamental motivations of GDPR is to protect the human right to privacy. This right is constantly under threat, as individuals data can be unwittingly exploited by organisations in our ever expanding digital and data hungry world. And yet, 38% of employees who took part in our Culture Horizon survey in the past year stated they had ‘no clue’ what a data subject rights request (DSR) entails or what it looks like!

Rights is a surprising new entry in the top 5 lowest performing themes of our Global Privacy Culture Survey 2022, especially given Privacy and data protection regulations globally have data subject rights at their core, with a mention of 8 different individual data rights from the right to be informed, to rights in relation to automated decision making and profiling under the GDPR.

Enforcement action for infringement of rights under the GDPR has made the news, with big names including Facebook Ireland, Vodafone Espana, and Google LLC hitting the recent headlines with multi-million Euro fines.

And in the US, according to a report by datagrail.io, 2021 saw a dramatic increase in in the volume of ‘Deletion and Do not Sell’ DSRs under the CCPA where one of the principal rights is to opt-out of third-party data sales. Consumer awareness of what data crunching giants such as Facebook and Google are doing with their data may well be behind this surge in requests. So why then, do employees still seem to be in the dark?

Perhaps it is the huge financial cost of having to respond to, for example the right of access under the GDPR which according to grcworldforums.com can cost UK businesses an average of ￡1.59 million or 14 person years annually to process where so much of the activity is still being carried out by manually trawling through tens of thousands of records.

Our surveyed employees also remarked that training given on the topic of data subject rights was very ‘generic and superficial’, and provided no insight into how they would know if they had received a rights request and what to do with it, let alone the time sensitivity of completion and consequences should it not be fulfilled.

It may be that as a DPO, CPO, or CDO you are creaking under the weight of organisation and data protection priorities, and the need for more automation in your processes (and resources generally). But to truly fulfil your organisation’s promise of transparency and trust around data, and achieve the privacy culture, behaviour, and compliance you desire, you need to educate and train your employees on how to recognize and respond to a data subject rights request, even if it leads to one of their own.

?Don’t wait for the a rights or privacy compliance violation, measure your privacy culture today and start to change and embed a culture of privacy in your organisation by getting in touch today.?