GDPR : I’ve sent 20 requests on 26 May 2018. Here’s what I’ve learned.

On 26 May 2018 I sent two dozens of requests to various companies to access my data and asked questions on algorithmic treatments, third-party data, …
More than 2 months after this first mailshot it’s time to draw the first conclusions. I must say I’m positively surprized by the quality of the answers I got from most companies. Yet it appeared obvious that some companies don’t want to answer your questions and don’t (really) care about you.

Conclusion first: have I discovered something amazing?

I must say I haven’t been surprized much by what I got. I was actually pretty disappointed by the results.
The companies which know the most about me (the Facebook, Spotify and Pinterest of this world) didn’t answer my questions and just provided a copy of my raw data. There was nothing fancy, nothing unusual in it. I know what I do only so the data was no surprize to me. I’m sure however that how the data is handled and treated would have been much more interesting but unfortunately I got no glimpse on what’s going on there.

My questions got answered only by local companies. Those which answered could only retrieve structured data from their systems and all unsructured data (documents, conversations, email) containing the major part of my personal data couldn’t be retrieved. Only 2 companies (out of 20) scored perfectly (answered my questions and provided a full record of my data). Only 3 companies (a private health insurance company, a major bank and a car insurance company) didn’t reply within the 30-day timeframe.

Here are the results in some more details. For confidentiality reasons I’m not giving the name of the companies involved except for social media companies.

Tier 1 : companies that don’t care or do everything to avoid answering

Out of the 20 letters I sent, only 3 didn’t get answers yet.
The first company (my private health insurance) was very keen on sending me a paper to sign to accept all data treatments, but not so keen on answering my questions.
The second company (a bank) required that I make an appointment in a brand to identify myself before they could answer any of my questions. This identification method is a great deterrent and a barrier ensuring you’ll actually very few requests to handle.
The third company is my car insurance.

Tier 2 : companies that care as long as you don’t ask questions

All internet giants (Twitter Facebook, Pinterest) to which I’ve sent my requests responded back quickly with a copy of my data. But all questions I had asked remained unanswered. My feeling is that there is no real way to force them to answer. They don’t care and want to reduce the costs related to GDPR as much as possible by automating the process as much as possible (which means that the best you can get is a copy of your data but not answers to questions you may have).
Also in this category is a data broker that, despite a thorough answer to my questions, told me its processing my data was based on its legitimate interest and that he couldn’t be hold responsible for (possibly) acquiring and processing my data without my consent. Too many firms have sought refuge in the “legitimate interest” exception and it’s time that a DPA with guts rules on this.

Tier 3 : nice answers but incomplete data

In this category fall all companies that have provided answers to my questions but an incomplete set of my data. This is surprising.
A bank for instance, despite repeated contacts in the past and myriad documents sent to get a mortgage proposal, couldn’t find more than my date of birth in its records. I’m sure those documents are somewhere, recorded as unstructured data, which would explain why they find so little.

Tier 4 : all right ! well done !

In this category fall only 2 companies : a mortgage broker and a mailing company. Both provided thorough information on what they do with the data, where it came from and what it is. The mortgage broker in particular (which is the only one to have send its answer by registered mail) was keen on providing a full record of all the information it had on me. It was well documented and all questions got answered.

By Pierre-Nicolas Schwab Pierre-Nicolas est Docteur en Marketing et dirige l'agence d'études de marché IntoTheMinds. Ses domaines de prédilection sont le BigData l'e-commerce, le commerce de proximité, l'HoReCa et la logistique. Il est également chercheur en marketing à l'Université Libre de Bruxelles et sert de coach et formateur à plusieurs organisations et institutions publiques. Il peut être contacté par email, Linkedin ou par téléphone (+32 486 42 79 42)