Comment: Inability to access customer data should raise GDPR concerns

I was recently speaking to a business colleague who regaled a story about someone he knew using a hosted travel reservation system who was struggling to get access to download their customer data.

They needed access to their customer data for many reasons but primarily so they could use it for personalised marketing.

Clearly the solution provided in this case, was focused on what they do which was a booking reservation selling system.

They system provider had not prioritised giving access to download customer data and the needs of the customer using their system and that their customer might need to be able to interface to and from other systems in their business.

The client company had experience of connecting systems using API’s but the Reservation System provider was not an API first company and building API’s to and from their customer data wasn’t a priority on their product roadmap.

The system provider's customer had requested if they could develop an integration so that they could access their data but the cost and timeline quoted made this prohibitive.

This is a real issue especially when it comes to GDPR.  It needs to be easy to push and pull data from and to your booking platform (or other systems).

If it’s not then your ability to comply with GDPR and give your customers a copy of the data you store about them on request and in a machine readable form, could be at risk.

I’m not going to get into GDPR and “controller” and “processor” responsibilities but both parties could be at risk here.

In this example the system provider is the “processor” and the company using the system is the “controller”.

So, what should our company do in this situation?  They certainly need to review their systems and make sure their processing suppliers are GDPR compliant.

I would ask for evidence (ie a demo) of how their customer data can be easily accessed and downloaded so that they can service any customer data request to do so.

In doing this you will soon find out if your system supplier has a mechanism to easily access your data for whatever reason you have to do so.  Maybe it’s time to rethink your solutions provider strategy?

If you are concerned about your customer data and still in the dark about what measures you should take to secure it then the ico.org.uk might be a good place to start.