Came across this super interesting article on bbc about a researcher who decided to exercise their rights as a data subject. The exercise included 20 companies.
Although the article starts by drawing a picture on the sort of data which can be collected on us, while we live in passive ignorance… my words not hers 😉
My experience on both sides of the wall,, and I say ‘wall’ because despite the good intentions of the GDPR, it seems that in general organisations are NOT making it easy for you and I as private persons to exercise their rights.
There are 4 types of data subjects exercising their rights.. at least those I’ve had exposure to: 1) angry/upset/worried individuals, I call them “mr Angry from Radio 1“; 2) employees or ex-employees, 3) applicants for jobs, which have been refused, 4) interested individuals doing research, such as the one represented in this article. As to yet, I have not received requests from individuals who are purely exercising their rights, and are happy before starting the process.
There are 2 approaches by organisations: 1) organisations which see GDPR and the potential of additional interaction with their ecosystem, i.e. customers, etc., in a similar content to ‘social responsibility’ and are building into their branding message; the other extreme, 2) do the minimum required, and even make it difficult for the private person to exercise their rights.
In the process there are 2 parts when it comes the request itself: 1) the interaction between the data subject (requester) and the DPO, or the SARs specialist, and 2) interactions with the internal organisation required in order to respond… which is in these baby GDPR days complex.
So what’s my conclusion? We have a long way to go in reaching the GDPR Nirvana for the data subject exercising their rights IMHO 😉