GDPR tool for helping consumers exposes hurdles as well

The GDPR doesn’t mandate how data requests should be made, but it does say that organizations handling personal data should be prepared to handle the requests. One would be right to wonder whether companies are as prepared as they should be.

Perhaps unsurprisingly, large retail banks such as Barclays, Halifax, Lloyds and NatWest all have dedicated websites that make such requests easier for both the user and the bank. HSBC, however, is an exception: despite being the bank with the largest market capitalisation, the user is to send a letter to a PO Box with their request.

It's a jarring exception to the banks listed in an online tool made by The Open Rights Group, a U.K.-based digital advocacy organisation, to help people find out how their data is being used by 30 large fintech companies. For those companies that offer digital means of contact, The Open Rights Group's tool helpfully provides users with ready-made email draft.

For those who care about their privacy the tool is obviously good news, as it helps them exercise the various rights granted to them under the recently implemented GDPR, such as the right to access, change or delete data that companies hold over them.

Asked for a comment, an HSBC spokesperson said the company takes the protection of the data they are entrusted with very seriously and added: "We are committed to meeting our obligations under GDPR with regard to customers accessing their data. We offer customers a variety of ways to contact us including via branch, contact centres, digital channels or by contacting our Data Protection Officer to access their information.”

Indeed, the bank does have a privacy notice on its website. But this, rather crucially, lacks instructions on how to make requests. This seems a big miss and the bank would do well to look at how its competitors are dealing with the GDPR.