Through participatory research we examine the human experience of making a GDPR data access request, uncovering a painful, ineffective process that harms trust and fails to satisfy users’ goals.
We present a 10-participant study, where each participant filed 4-5 data access requests and scrutinised the process and responses through a series of interviews.
To address participants’ inadequate experiences, we provide recommendations for policymakers, service providers and individuals on improving data handling & GDPR handling practices.
In today’s data-centric world, most services rely on collecting and using personal data. The EU’s General Data Protection Regulation (GDPR) aims to enhance individuals’ control over their data, but its practical impact is not well understood. We present a 10-participant study, where each participant filed 4-5 data access requests. Through interviews and discussions scrutinising returned data, we found that GDPR falls short of its goals due to non-compliance and low-quality responses.
Participants’ hopes to understand providers’ data practices or harness their
own data were largely unmet. This causes increased distrust without any subjective improvement in power, although more transparent providers do earn greater trust.
We propose designing more effective, data-inclusive and open policies and data access systems to improve both customer relations and individual agency, and also that wider public use of GDPR rights could help with delivering accountability and motivating providers to improve data practices.
Shortcomings in GDPR handling
Through our qualitative investigation of attitudes to data-centric services before, during and after conducting data access requests, we identify shortcomings in providers’ GDPR approaches resulting in unsatisfactory experiences for individuals.
When encouraged to consider providers’ own promises in privacy policies, individual legal rights, and their own hopes, participants determined that their rights had not been fully satisfied, data contained gaps, their goals were largely unmet, and they were generally still ‘in the dark’.
We found that providers can seriously damage brand loyalty and trust if comprehensive and well-explained data is not returned in a supportive and open manner. We highlight serious problems with compliance. Participants received data that was incomplete, impractical for use, and they were not given desired explanations. The GDPR does not succeed in its own aim to enhance individuals’ rights and control.
Participants continued to feel a lack of agency and choice, were largely unable to pursue goals such as data checking, correction or deletion, and their perceived sense of power within the provider relationship was largely unchanged by the experience. The GDPR did not allow these individuals to adequately pursue their own goals related to accountability, self-reflection or creative data exploration. Individuals cannot acquire power over their data through the design of better interfaces alone; this requires redesigned policies and business strategies that take into account the scattered, multi-party sociotechnical context of held data.
Recommendations to improve individuals’ access to data
From a policy design standpoint, action must be taken to improve both compliance and quality of GDPR responses, as organisations are routinely failing to return all the data they hold. But a policy based around the one-time delivery of files is inadequate, policy compliance should be measured in terms of delivering users and an ongoing understanding rather than simply providing a bundle of files and considering the matter resolved. Better still would be to provide individuals an ongoing two-way window into their data so that they remain involved and can correct mistakes.
The risk of reputational damage we uncovered should motivate service providers to engage meaningfully with data access requests; such risk could be averted by redesigning both interfaces and processes by seeing data access experiences as an opportunity to build trust and loyalty, perhaps even through establishing progressive co-operative data stewardship relationships. While the GDPR experience is often disappointing and frustrating, it can provide insights that help individuals to challenge their assumptions, re-evaluate choices, and in some rare cases, feel empowered to act upon their data.
Wider assertion of GDPR rights could demonstrate a desire for data holders to be transparent and motivate new forms of data access and involvement. Without visible demand, little may change. Our study provides a model for educating individuals about the power of data and conducting future investigations into which data interface mechanisms are most empowering to users and which specific privacy dashboards, explanations or offerings can harm or improve trust.