Data protection law is designed to help organisations to securely manage and safeguard personal data. The introduction of this legislation can also result in organisations having to change certain business processes and incur compliance or monitoring costs. This section explores interactions between organisations and data protection law and the ICO. It provides insights into organisations’ nuanced view of regulation as both an enabler and constraint in different circumstances.
Awareness of data protection law and the ICO
Familiarity with data protection law
The majority of organisations reported feeling very (16%) or fairly (48%) familiar with data protection law. 24% of organisations reported not being very familiar and 12% reported not being at all familiar with data protection law.
Familiarity increased with organisation size, with 40% and 53% of large organisations (with 250+ employees) reporting they were very or fairly familiar with data protection law respectively.
Public sector organisations were also more likely to report familiarity with data protection law, with 77% reporting they were fairly or very familiar.
Awareness of the role of the ICO
59% of organisations reported being aware of the ICO and its work before completing the survey. Larger organisations were more likely to report awareness of the ICO in comparison to smaller organisations (84% of large organisations with more than 250 employees in comparison to 55% of sole traders that were aware of the ICO).
Table 3: Proportion of respondents reporting awareness of the ICO, by organisation size
Survey questions: B1. Approximately how many people does your organisation employ? F1: To what extent would you agree with the following statements? "Before completing this survey, I was aware of the ICO and its work."
Awareness of the ICO | Total | Sole traders | Micro | Small | Medium | Large |
Yes | 59% | 55% | 69% | 81% | 92% | 84% |
Awareness of the ICO was also more pronounced for organisations that reported processing higher volumes of personal data. For example, 49% of organisations that processed personal data for less than 100 data subjects reported being aware of the ICO. In comparison, 94% of organisations that processed personal data for more than 100,000 data subjects reported being aware of the ICO prior to the survey.
Amongst organisations that were aware of the ICO, the views around the ICO’s support were largely positive. 72% of organisations aware of the ICO prior to completing the survey agreed that the ICO resources provide clarity about what the law requires and 49% agreed that the ICO understands the issues that their organisations face. 49% of organisations that were aware of the ICO agreed that the ICO understands and anticipates developments in the markets it regulates and 31% agreed that the work of the ICO reduces compliance costs.
Table 4: Proportion of data controllers in agreement with statements about the ICO
Survey questions: F2: To what extent do you agree with the following statements? “Agreement” is the combination of responses “strongly agree” or “agree”.
Statement | Proportion of respondents in agreement |
The ICO resources provide clarity about what the law requires | 72% |
The ICO understands the issues you face | 49% |
The ICO understands and anticipates developments in the markets it regulates | 49% |
The work of the ICO, for example the Business Advice Service and Certification Schemes, reduces your compliance costs | 31% |
The findings also highlight that the ICO’s support and advice services provide a valuable resource to many organisations. 58% of organisations that were aware of the ICO reported using ICO materials or services to comply with data protection regulations in the last 12 months. The most common materials and resources used ICO guidance to improve understanding with UK GDPR, PECR, FOIA, EIR, and NIS (33%) and to improve understanding of compliance activities such as ROPA, DPIA (20%).
These proportions are lower when filtering for only sole traders, where 51% of the organisations aware of the ICO reported not using any of the ICO materials or services.
Whilst it is good to see that organisations that are aware of the ICO use one or more of the resources provided, the survey findings suggest that smaller organisations in particular do not make full use of the variety of events and advice and services that are available.
Data protection law as an enabler
Positive impacts of data protection legislation
The survey results provide insights into how data protection law can act as an enabler for organisations. 32% of respondents agreed that data protection laws have been an enabler that has positively influenced the undertaking of core activities within the organisation in the last 12 months. 35% of respondents provided a neutral response (reporting “neither agree nor disagree”) and 26% of organisations disagreed that data protection law had been an enabler.
These results vary by an organisation’s characteristics. For example, 87% of medium and large organisations (those with more than 50 employees) agreed that data protection laws had been an enabler for their core activities. Public sector organisations and non-profit or charity organisations were also more likely to report that data protection laws have been an enabler, with 68% and 54% agreeing respectively.
The survey also looked to identify the manners in which data protection law could provide positive influences for organisations’ core activities. Compliance with data protection law helps safeguard personal data, reducing the likelihood of harms owing to data breaches. About a third of respondents agreed that data protection law has revealed data security and compliance gaps that they are addressing (33%). This in turn highlights the broader positive impact that data protection law has had on keeping personal data more secure.
Data protection law is designed to provide guidance around personal data collection, processing and storing practices to ensure upkeep of personal data rights. This is supported by findings in the survey, where 45% of organisations reported that data protection law can provide clarity on the types of innovation or technology that are compliant with personal data protection and 33% of organisations reported that data protection law has helped identify new processes to assist with innovating responsibly.
In addition, respondents provided insights into how regulation can impact innovation and efficiency. 30% of organisations agreed that data protection law has helped identify, use and store personal data more efficiently and at a lower cost and 26% of organisations agreed that data protection law has helped identify new uses of personal data to improve or expand existing products or services.
Data controllers in action: data protection law as a motivator for change
Views from a vehicle leasing brokerage firm
The organisation collects client personal data, including date of birth, address and medical conditions to provide their vehicle leasing service.
For their organisation, new data protection laws acted as motivation to implement new data protection compliance activities that they were planning to introduce sooner, rather than later. As a result, improved controls, including password-protected security backups and e-signature services, were implemented more quickly, with positive effects.
“We have always been used to dealing with personal data and how important it is to protect people,” the interviewee noted, “[data protection regulation] probably forced us to make changes earlier than we would have done.”
Data protection law as a constraint
Challenges of processing personal data
Processing personal data introduces a broad range of challenges for organisations.
One of the key challenges faced by data controllers is ensuring the integrity and safety of personal data. Organisations reported ensuring personal data is not retrievable or usable by people outside of the organisation (52%), cyber security concerns (49%) and unauthorised access (41%) as some of the most notable challenges in processing personal data.
Data controllers also highlighted challenges around ensuring the accuracy of personal data being collected and processed in line with the UK GDPR principles. 49% of respondents reported challenges in ensuring personal data is not out of date and 48% of respondents reported challenges in ensuring personal data is accurate.
Finally, data controllers also highlighted challenges around understanding regulatory requirements. More than a third of respondents reported a lack of expertise in understanding the legal requirements of data processing (38%) and a lack of clarity about regulatory requirements (35%) as key challenges. An additional 33% of respondents reported lack of expertise in processing personal data whilst considering external risks. These findings may, in-part, indicate knowledge gaps and highlight the potential for additional training and support opportunities for organisations.
Constraining factors of data protection law
Overall, whilst 73% of organisations reported that data protection law had placed little to no constraints on their core activities, 24% of organisations reported that data protection had placed constraints to at least some extent.
This effect was more pronounced for medium and large organisations, with 86% and 71% respectively reporting that data protection laws had placed constraints on their core activities to at least some extent. This could, in part, relate to the increased volume of personal data that medium and large organisations process. 71% of organisations processing personal data for more than 10 million data subjects reported that data protection law had at least to some extent placed constraints on their core business activities in the last 12 months.
Organisations that reported constraints to their core activities reported high compliance costs as the most common constraint (44%). Uncertainty is also cited as a cause of constraint to organisation’s core activities, with 42% of respondents reporting a lack of clarity about data protection law requirements and 40% citing uncertainty about adopting innovative products or services with unclear compliance assurance as key constraints.
Data controllers in action: data protection law as a barrier
Views from a Category C adult prison
Within the prison system, personal data is often shared with third-parties for legal representation or rehabilitation purposes. A representative from a UK prison reported that data protection regulation had introduced delays around information sharing.
For example, the interviewee noted that the regulation was making it more challenging to share information with solicitors. “We have to go back to [the solicitors] and get them to send a form into the prisoner and then the prisoner has to get back to us […]. It makes some of our work long winded.”
Similarly, data protection laws have made it more challenging to share personal data with rehabilitation and support facilities without obtaining consent: “We want to share information and we want it to be as easily accessible as possible.[…] When we get those barriers, it slows it down.”
Cost of compliance
The cost of maintaining compliance with UK GDPR varies based on the size of the organisation, the amount of personal data being processed and the purpose for which the personal data is being processed.
In our survey, 35% of organisations reported facing costs as a result of complying with the UK GDPR. These costs presented themselves in the form of one-off direct costs (reported by 20% of organisations) and one-off indirect costs (11%), ongoing direct costs (19%) and ongoing indirect costs (14%).
Common costs include software, reported by 44% of those respondents that incurred costs, existing employee undertaking regulatory compliance training (31%), existing employee undertaking regulatory compliance work (29%) and hardware (26%).
Of those respondents that reported having incurred costs of complying with the UK GDPR in the last 12 months, 64% of respondents reported compliance costs of less than £10,000. The cost of compliance is seen to increase in tandem with organisation size. The majority of sole traders (84%) reported a total cost of compliance of less than £10,000 over the last 12 months.
Data controllers in action: costs incurred by data controllers
Views from a business providing shipping containers storage solutions
GDPR was one of the core factors behind the business becoming a paperless organisation. As part of this move to a paperless system, tablets were purchased, totalling £9,000.
In addition, this business spent approximately £8,000 on encryption software and introduced 2 factor authentication on all login events to better protect the personal data stored.
Despite the initial cost, the organisation felt there would be savings in the future, such as using less paper, and printing.
“I would say in three years it will pay for itself.”
Data protection law as an enabler and a constraint
Our study also revealed that more than 15% of organisations see data protection law as both a constraint and enabler at the same time. In fact, 64% of organisations that reported data protection law had constrained their activities to at least some extent also reported agreement that data protection law was an enabler. The case study below exemplifies how data controllers provide a nuanced view about data protection law being both an enabler and a constraint for organisations.
Data controllers in action: data protection law as a constraint for one core activity and an enabler for others
Views from a Parish Council
Councils may need to collect personal data for a variety of reasons, including for the management of allotments, taking bookings for Parish halls and verifying identities at Council meetings.
A representative of a UK Parish Council explained how the introduction of the UK GDPR has resulted in both negative and positive consequences to their operations.
On one hand, the Council representative explained that following new data protection guidelines, they were restricted in their social media promotion practices as they were no longer able to use photos with young people: “One of the unintended consequences I suppose was around photography and young people's images, where we used to take pictures randomly and use them on social media. Now as a general policy we don't take photographs simply because it's not always possible to get everybody's permissions.” They have tried to mitigate this issue, but the paperwork was too onerous and have therefore been more limited in the social media promotions they can publish.
On the other hand, the Council noted greater engagement in consultation meetings once data minimisation principles were implemented. The Council previously collected personal details to gather feedback on Council activity and policy but adopted a new anonymised feedback system following the introduction of the UK GDPR. “In the past we would have asked for names and addresses but now, because we are aware of data protection much more, we don't do that,” noted the interviewee, “It wasn't necessary to get people’s information.”
The results were unexpected but positive. Since the Council started to explicitly state that the consultation meetings would be anonymous, they noticed greater engagement, and that participants were freer with their opinions. “The consultations have a much better outcome because it's anonymous whereas previously it was attributed to them.”
Overall, the Parish Council representative found that data protection regulation have been positive: “We thought it was going to be really onerous and it's actually turning out to be beneficial which is certainly something we were not expecting".