Public Understanding of GDPR

Over the last couple of years, we’ve seen a lot of attention given to data protection. For the most part, the debate has focussed on helping businesses with legal compliance.

But data protection is more than a compliance hoop for organisations to jump through. It is also about the rights it gives to individuals to know about, understand, and control information about them.

Today, we are publishing research in a new report, ‌Public Understanding of GDPR: How companies, regulators, and civil society can support data protection rights.

We look at:

  • the ways members of the general public think about GDPR and their data protection rights;
  • how regulators, civil society organisations and others who support data protection rights can best communicate to make data protection relevant to the general public
  • what organisations should do to communicate better with individuals about data protection and their rights

The report follows several rounds of interviews, user research, and website usability testing. It is also informed by our experiences from creating a website called Data Rights Finder with Projects By IF. Data Rights Finder makes the content of privacy policies easier to understand and helps people engage their data protection rights.

You can read the report in full here. It is also available in full as a PDF.

We are grateful to the Information Commissioner’s Office (ICO) for funding this research through their Research Grants Programme.

Below is a summary of the findings in this project. 

Do people understand their rights around data protection?

Our research indicated that:

  1. The British public’s awareness of their data protection rights is low. People are surprised when they become aware of the rights they have.
  1. Awareness of consent as a basis for collecting and processing user data is relatively high, but understanding of what consent means is low. The other bases for processing data are not well-known.
  1. People do not think about their lives in terms of the rights they have. They do not think first about their data protection rights and then about what problems they have that they could solve with those rights. Instead, they realise they have a problem they want to deal with and then look for ways of dealing with their problem.

Making data protection relevant to people

Considering the way people understand data protection, these are some points to consider for regulators, civil society organisations and others when communicating in support of data protection rights:

  1. Provide information and context for data protection rights. Expect members of the public to require examples of the situations in which they might find data protection rights useful or vital to solving a problem or improving their life in some way.
  1. Offer services or tools that are problem-focussed rather than rights-focussed. Services or tools that help people use their data protection rights will likely resonate with more people if it is clear which specific problems the service helps with.
  1. Make time to undertake user-centred research to understand how your target audiences think about data protection and the problems in their life. This will help you show how data protection rights can be helpful. Test your messages and products with real people from your audiences.

How organisations can communicate well about data protection rights

From our experience of analysing organisations’ privacy policies to create Data Rights Finder, and talking to people about data protection issues, we have these recommendations for how organisations can communicate better about data protection to individuals:

  1. Provide electronic means such as an email address or contact form to contact your data protection officer. We found several well-known companies who only provided a postal address as the route through which to use a data protection right.
  2. Explain how the data protection rights interact with the particular activities or business that your organisation does. Help the individuals involved to know what their rights are, how those rights are relevant to their relationship with your organisation, and finally, how and why individuals would use those rights.
  1. Use plain English to describe how you use data. Tell people clearly what data you collect and what you will use it for. Test how easy it is to find, read, and comprehend the information you provide about how you use data.
  1. As much as possible, use a granular, rather than a bundled, approach to gaining consent to collect and process personal data. It is not always reasonable to expect people to give consent to everything in your privacy policy at the very beginning of their relationship with you. Just-in-time information and consent is one way to address this.
  1. Link the data you say you collect with the purpose you will use it for. Make it clear which data is being used for which purpose.
  1. Consider alternatives to the name ‘privacy policy’. Research in America consistently finds that people misunderstand what is meant by the name ‘privacy policy’. Phrases like “How we use data” may offer a better alternative.
  1. Contribute to and run trials of machine-readable standards about how you use data. Organisations are often presenting information about how they use data in inconsistent and unstructured ways. This makes it difficult to scrutinise and provide insight into how organisations use data. Organisations should collaborate on and test machine-readable standards to communicate how they use data.