View article

In both data protection law and research of usable privacy, awareness and control over the collection and use of personal data are understood to be cornerstones of digital sovereignty. For example, the European General Data Protection Regulation (GDPR) provides data subjects with the right to access data collected by organisations but remains unclear on the concrete process design. However, the design of data subject rights is crucial when it comes to the ability of customers to exercise their right and fulfil regulatory aims such as transparency. To learn more about user needs in implementing the right to access as per GDPR, we conducted a two-step study. First, we defined a five-phase user experience journey regarding the right to access: finding, authentication, request, access and data use. Second, and based on this model, 59 participants exercised their right to access and evaluated the usability of each …