Finding my data rights

Toni Sekinah, research analyst and features editor, DataIQ

I’ve put it off for long enough, but I’ve got to bite the bullet. It’s time to look at the privacy notices of some of the organisations that I bank with. I have a few accounts on life support that I need to close and it would be good to know how to request the deletion of my data from the annals of those financial institutions. Not that I have anything to hide, but generally I feel that the less of my information floating around in the ether, the better.

Data Rights Finder was launched in June 2018 and was created through a collaboration between Open Rights Group and Projects by IF.  I interviewed Ed Johnson-Williams, policy and research officer at Open Rights Group in September who told me that the project is still at an early stage and they are looking for feedback on usability.

I am happy to oblige. I decided to look the ease with which I could find information about how my data is used on each companies’ privacy policy page and compare it with the set up and layout on Data Rights Finder.

The Data Rights Finder website, as previously mentioned, is arranged with a set of drop down menus for each financial institution or insurance company.

My first impression was of a main page showing a list of the companies - clicking on a name leads to a set of categories with drop-down menus. These tabs set out information such as under which lawful basis the organisation justifies its collection and use of customer data, the retention rules, the data categories collected as well as whether a data protection officer is in place, among other topics.

A challenger bank should be open and make data easy to access.

At second glance, I noticed that Data Rights Finder uses a sans serif font throughout, except for the template text. I find this font more approachable and less formal which I think is a good thing when detailing information in language that could easily become very terse.

The first comparison I made was of a challenger bank. I had a feeling that this organisation would be quite open and information quite easy to access. I thought this because it is very much a new kid on the block type of financial organisation, having been founded in 2015. It consults customers when making changes to some of its ways of working and has a blog and so seems to be imbued with the spirit of transparency.

The bank laid out the information in a very clear way in a similar way to the Data Rights Finder layout, however the latter has helpful templates of what to say when requesting personal data be corrected or deleted. So the website and the Data Rights Finder were almost as good as each other in this instance.

It is a different story with vastly different financial institution that has been in operation for over 250 years. To its credit, the traditional bank also uses a sans serif font making its policies easier on the eye.

The bank sets out its privacy notice as a series of boxes and grids.

The bank sets out its privacy notices on its website as series of boxes and grids, with the columns of what it uses my personal information for, alongside its reasons and its legitimate interests in rows. It starts off looking pretty straightforward, but as I scroll down and see it is broken up into different use cases such "serving you as a customer" and "business improvement" it becomes harder to absorb the information.

So in this case, Data Rights Finder proved to be more useful than the policy on the actual financial institution’s site, and beat it by a long shot in terms of user experience as the information is broken up into smaller chunks. But the language is the same as it is pulled straight from the source.

The legacy organisation did exceed my expectations with the readability of its policy, however it still could have been better. I think it would be good it all organisations checked the accessibility of their privacy notices with frontline staff or even some customers if they agreed to be part of a focus group.

If these people clearly understood the meaning of the privacy policy then the organisation would have complied with its GDPR obligation in spirit and in deed.

Please note that blogs are the sole view of the author and that they are not neccesarily the view of IQ ddg Ltd and should not be interpreted as advice. Please read our full disclaimer