Everyone is legally entitled to have insight into what happens to the personal information they provide to organizations. But in practice, gaining this insight can be easier said than done. Jessica Liu, Cyber Security & Privacy Specialist at KPMG, did some research.
Almost every day, we provide organizations with information on our way of life, in exchange for discounts or in order to get some extra convenience. We give away information on our shopping behavior for personal offers. While shopping in certain shopping centers, we share our location data for more offers from shops nearby. When we park our cars, we use parking applications and share information on what places we often visit. While surfing the Internet, we accept cookies allowing websites to follow our surfing habits in exchange for an optimal website experience.
It has been made very easy and attractive for us to share our personal data – sometimes it seems like the most normal thing in the world. Consider shopping cards for supermarkets for discounts or saving up points, or parking apps which makes it possible to pay your parking fee instantly on your smartphone. Even though it’s almost a daily occasion that we share some kind of personal information, it is important to be and remain aware on what you reveal about your personal life, and what is done with that information. But how can you, as a regular citizen, be aware? It starts with knowing which organizations have information about you. And by considering if you are willing to trade your information for discounts or convenience.
To find out what organizations have on you, make use of your legal right to inspect that. According to the Dutch Personal Data Protection Act, you can submit an inspection request without having to state a reason. Plus, you can ask for detailed answers; organizations must provide you with information on what personal data of yours they have and use, how they got that data, what that data encompasses, and if they provide the data to external parties (if they do – which parties) etc. Subsequently, if that data is not correct or incomplete, you have the right to have your personal information adjusted or completed. Additionally, you have the right to have your personal information removed, in case the data is factually incorrect, incomplete, irrelevant, or used in violation of the law.
This all sounds beautiful on paper right? Which is why I decided to test this process. The results are nowhere near beautiful.
In order to explore if organizations would actually answer my right to inspect my personal data, I submitted the same inspection request to 11 organizations from which I often use services, or have an subscription with. Organizations are legally required to answer upon your request within 4 weeks, whether it is in writing or by email.
Results after 7 weeks: only 6 organization have acted upon my request. The level of proper handling in the responses of these 6 organizations were quite different, divergent from personal letters with detailed explanations on the use of data, to short and simple letters, sometimes even with grammatical errors. The prize for least appropriate response goes to a supermarket chain; they have sent out an extremely simple blank paper with a just few sentences – no company logo, and not even signed. Of course, this is still better than not responding at all.
Also conspicuous is the fact that only two of the six organizations decided to do an identity check before honoring my request. Checking ones identity is not mandatory, but definitely not unnecessary in the handling of personal information.
The result of this sample is thus not encouraging. Therefore it is wise to be aware of what personal information you share. Always consider whether it is worth it to share or trade certain information, and take in mind the impact of doing so.
And from a sound business perspective: Make sure that your organization is prepared for all kinds of privacy-related questions. Document all processing of personal data and have processes in place that handle privacy requests.
Security & Privacy Consultant at KPMG Cyber
+316 1372 6512