Data Request Practice

The brief GDPR introduction, which only covers a subset of the GDPR, means that companies must adjust many of their processes to become compliant. Yet, despite four years gone by since the passing of the GDPR, many organisations still lack rigorous processes for dealing with personal information and subject data rights. This applies more so for the data rights that subjects enjoy.

In a litmus test for data access requests conducted in 2020, 59 organisations received requests for data access. At the 30 day mark, little over half of surveyed organisations had succeeded in responding to the data request. Even after 90 days, 20% of data requests remained unresolved, despite repeated attempts at progress.

Looking at individual requests reveals a picture of organisations figuring out processes as they go. Some gathered information over insecure channels such as email, while other performed little validation of user identity. The poor security of data request practices are corroborated by a wide gamut of researchers, eg. Martino et al. (2019), Pérez-Solà et al. (2019) and Boniface et al. (2019).

Meanwhile, large tech companies have the legal and engineering resources available to construct infrastructure that is capable of servicing data requests at scale. Yet, all solutions available (by e.g. Google, Apple, Facebook, Twitter, Spotify) are custom-made and homebrew. This makes it hard for other organisations to follow suit, while citizens face multiple interfaces and paradigms for achieving the same basic task.