Do consumers know their GDPR data privacy rights?
In addition to data protection, the EU’s General Data Protection Regulation (GDPR) requires businesses to ensure consumers can exercise their data privacy rights. But first, individuals must know these rights.
In our 2019 GDPR Small Business Survey, we asked European small business leaders how well they understood their obligations under the GDPR. The results were mixed. While many businesses invested heavily in complying with the GDPR, others seemed not to care. Around half were reported not GDPR compliant on two major aspects of the law.
The survey was a comprehensive look at whether organizations understood how to comply with the GDPR. And it made us wonder about the other side of the GDPR, the people it is intended to benefit: consumers.
The objective of the GDPR was to give individuals more control over their personal data, and it goes about doing this by requiring data protection (ensuring businesses keep data secure) and data privacy (ensuring people can exercise their right to privacy). If companies work hard to be GDPR compliant for the benefit of their current and potential customers, do the consumers know enough about the GDPR to recognize those compliance efforts? How well do they know their GDPR data privacy rights?
GDPR data privacy rights
The GDPR covers consumers’ data privacy rights in Chapter 3. We’ve summarized all of the GDPR data privacy requirements for businesses in a previous article, but they generally deal with these main areas:
- Transparency about how data is being used
- Access to personal information if the owner asks for it
- The ability to request that data be deleted or corrected for accuracy
- The right to object to data processing and restrict processing
- The right to have their data provided in a standard format that can be transferred elsewhere.
Do consumers know their GDPR rights?
We decided to conduct a non-scientific poll on Twitter. The polling is by no means rigorous, and the sample size is quite small. So take this with a grain of salt. However, the individuals that responded performed no better than the companies we polled. Some people seem to clearly understand their GDPR data privacy rights, while others… not so much. If anything, it seems likely the poll results are skewed by the fact that our followers (and those of our parent company, ProtonMail, which retweeted the poll) tend to be interested in privacy. Check out the results below.
The responses to question 1 reflect a misunderstanding of the right to erasure. Companies are not always required to delete personal data just because someone makes a request. There are several exemptions, such as when data is used to exercise the right to free expression.
Most people got this one correct. The various data privacy rights are listed here.
Most users were also correct here. Information is only considered as protected personal data if it can be used to identify someone.
The crowd was wrong here. Article 8 defines the age at which a person can legally consent to data processing at 16. Countries can set more lenient standards, but it can’t be below 13 years old.
Most people got this one right. All of these are good ways to hold organizations accountable for GDPR compliance.
So it appears that even one year after the GDPR came into force, many consumers and business leaders still do not understand the law. Indeed, the lack of understanding and awareness among consumers may be part of the reason more small businesses don’t prioritize GDPR compliance. We believe data privacy and security are important values and crucial to building a better Internet.