At Col8® we speak to many organisations and often early in our conversations comes the following statement:
"Why would I give video footage to a member of the public?"
The answer to that is if you hold video of a person (CCTV, body worn etc) this is classed as personal information and under GDPR an individual now has a right to that data from any organisation - whilst there are exceptions essentially it is black and white, it is the law.
The mechanism they will be using, whether they use this wording or not is through a Subject Access Request (SAR) whether for Data (sometimes referred to as DSAR) or Video (VSAR). So what happens if someone within your organisation, staff, call centre or contractor refuses to do the request because they didn't know about this law?
Simple - you are in breach of GDPR.
The higher maximum amount, is 20 million Euros (or equivalent in sterling) or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.
The majority of the cost in responding to a Subject Access Request is time and effort on the part of your staff.
With our propriety compliance solution Data Transparency™ we have a unique perspective of the effort breakdown in responding to request for video. We have pulled this data together and can reveal an indicative breakdown of the effort to respond to a request where the organisation had a process / policy in place and there was video present.
One of the most difficult questions when it comes to tasks which, like a Subject Access Request are ad hoc and unpredictable is what is the cost?
You may think that it is pretty easy, in fact let's for the sake of argument put some numbers next to the effort break down and see what the cost comes out as...
The diagram above looks pretty logical, hours spent on a task multiplied by the cost per hour - so why is that NOT the real cost to your business?
Let's pose some questions before we answer that:
- Do you have a very well defined process for responding to requests for each member of staff in the chain?
- With potentially weeks or months between requests will those members of staff be able to remember exactly what to do in the most efficient manner?
- What is the cost of your staff not doing the job you pay them to do?
- Have you taken in to account "hand off" time between the members of staff in the process (emails, phone calls etc)?
- How much do the systems you use to handle the process cost to run?
- Have you built in enough operational slack in your staffs roles to accommodate ad hoc tasks?
- What is the actual cost of your staff beyond just hourly pay (holiday, sick pay, benefits, pension, heat, light, computer, coffee / tea, water, NIC, PAYE, bonuses, training etc)?
- When there is a risk of a GDPR breach for failure to comply with the process properly will you be bringing in a manager to oversee the request?
A pretty daunting list of questions right?! It is, and that is why the answer is less than straight forward.
Shall we do those numbers again and take in to account an estimate for some of the questions above?
Talend, a global leader in cloud data integration and data integrity recently published a report showing the low rates of compliance to the Subject Access Request process, in fact 70% of companies surveyed failed to provide data in the allotted time.
In the report it also pulled together research that also estimated the true cost of complying to a request (referred to as a Subject Right Requests - SRR) at $1,400 USD which matches quite well with our original research in the area.
One of the interesting things in this cost estimate is that is doesn't take in to account the up front cost of activities like training, process and policy development, Data Protection Impact Assessments etc.
This is probably a contributing factor to the low rates of compliance:
When you get a request it is too late to start planning - it has to be done BEFORE you get one.
"Companies spend, on average, more than $1,400 to answer a single SRR."
At Col8® our objective is to make businesses more efficient, save money, get more value from video data but most importantly stay safe and compliant - that is why we designed Data Transparency™ as either a stand alone or plug in module to allow you to handle requests easily.
Take a look at the product page where we go in to detail about how this product can dramatically cut the cost and uncertainty of the request process.
We have gone many steps further than this just being a simple to use integrated tool, we even help with your impact assessments during deployment, we help with training, we even embed the process in to the tool so your staff get told exactly what to do at each step without having to remember or refer to a guide!
Get in touch today - https://www.col8.net/contact