Customers could demand details of personal information held on them following GDPR changes

Millions of customers may submit Subject Access Requests (SAR) to utility companies to find out what personal information businesses hold when new data protection laws come into effect in May 2018.

According to research conducted by Exonar, 70 per cent of Brits are in the dark over privacy changes.

However, once the General Data Protection Regulation (GDPR) process was explained to them, 57 per cent said they would consider raising a SAR.

The research looked at which sectors are likely to be hit the hardest and found financial services topped the charts with a third of people saying they would submit a SAR to their bank and 16% to their credit card provider.

Around 8 per cent said they would raise a SAR with a utility firm, while other targets for SARs included mobile network providers (11 per cent), social media companies (16.4 per cent), insurance companies (8 per cent), loan companies (5 per cent), and retailers (5 per cent).

A further 9 per cent said they would raise a SAR on a current employer and 4 per cent on an ex-employer.

Exonar said its research found people are worried about how their data is currently managed with 27 per cent concerned their data could be sold and another 27 per cent worried about hacking.

Julie Evans, chief operating officer at Exonar, told Utility Week: “For the utilities industry, customer data has always been significant not least because of sheer volume. However, the legal basis for holding data has always been clear as it is required to provide and take payment for the service. For this data, the key will be to enforce strict retention policies to minimise processing and risk.

“But it is likely that as the sector has become more competitive, data is becoming more critical in maintaining strong customer retention and acquisition programmes. It is the processing of data for these purposes that will require a separate clear and documented basis for processing, such as an individual opt-in which must be recorded.”

She added: “As smart meters are more widely adopted the data that the providers are holding will become more valuable as it would enable the suppliers and therefore any potential hacker to start to understand patterns of behaviour within a household.

“It is likely that the behavioural and retention information that is used for profiling is the information that will be shared across the organisation for genuine business purposes and will therefore require a platform such as Exonar to locate, govern and remediate to minimise ROT (redundant, obsolete and trivial).”

She said businesses need to make the most of the time they have before the Information Commissioner’s Office (ICO) starts its consumer publicity campaigns. 

What to read next