Generating Practices: Investigations into the Double Embedding of GDPR and Data Access Policies

Abstract

The right of access, found in the EU's GDPR and similar data protection regulations around the world, requires corporations and other organizations to give people access to the data they hold about them. Such regulations create obligations for data controllers but leave flexibility on how to achieve them, resulting in variation in how Data Subject Access Requests (DSARs) are implemented by different corporations. To understand the various practices emerging around DSARs and how requesting data influences the way people think of data protection laws, we asked participants in India, the UK and USA to make 38 DSARs from 11 different companies. Using the metaphor of the policy-design-practice "knot" ~\citejacksonPolicyKnotReintegrating2014, we examine DSARs as a case of the co-constitutive links between policy, design, and practice. We find that the DSAR process was not linear and participants employed many work-arounds. The challenges they encountered in the overall DSAR process negatively affected their perceptions of data protection policies. Our study suggests that researchers have to be flexible in adapting research methodology to understanding emerging practices, and that there is a need for more collaborative experimentation with DSARs before standardizing the process.