This section sets out the technologies that data controllers use when processing personal data and examines adoption of different innovative technologies.
IT function management
The majority (72%) of organisations reported managing their IT functions in-house, with all IT functions performed by internal staff. 6% of organisations reported outsourcing all their IT functions to externally contracted service providers. 19% of organisations reported a hybrid between these models, with some IT functions performed in-house, while others are outsourced.
These results vary by the organisation’s characteristics. For example, organisations with more than 250 employees reported using a hybrid IT function more often (49%). Similarly, 28% of organisations processing personal data for more than 10 million data subjects reported managing their IT functions entirely in-house.
Technology used by data controllers
Many organisations are implementing technologies to assist in the processing and protection of personal data. Cloud storage and specialised hardware or software for managing Data Protection Compliance were the most commonly reported technologies used by data controllers, with 36% and 27% of respondents reporting their use, respectively. Organisations also reported using physical data servers (24%), encryption (22%) and cloud processing facilities (14%). 20% of organisations reported not using any digital technologies, for example due to all data being held physically.
Data controllers in action: technology used by data controllers
Views from an auction house
The auction house holds personal data including names, addresses, contact information and banking arrangements to update client on the progress of their orders, arrange sales and execute wills.
The data is stored both on paper and in digital copies. Paper copies are stored in A4 files which are locked in a storage cabinet in a back office accessible only to staff. Digital records are saved in the cloud and are only accessible on computers with a licensed software. Information stored in this software is structured with different levels of access and clearance.
Technology considered but not used by data controllers
15% of organisations had considered adopting cloud storage but ultimately decided not to. 13% and 12% respectively of organisations that considered adopting encryption and software / hardware for managing data protection compliance ultimately decided not to.
These percentages are much higher for organisations with more than 250 employees or organisations processing personal data for more than 2 million data subjects. For example, more than half of respondents in organisations with more than 250 employees that do not use cloud storage, software or hardware for data protection compliance and physical data servers reported having previously considered adopting the technologies. Similarly, more than 80% of organisations that process data for more 2 million data subjects that did not adopt cloud storage, software or hardware for data protection compliance and physical data servers had previously considered adopting these technologies.
A variety of factors contributed to organisations considering but not adopting certain technologies. With 58%, the most common factor for organisations considering but not adopting a technology was that organisations ultimately saw no need. Other reported factors included lack of expertise or staff training required (49%), high cost of the technology (44%) and lack of time for the implementation (37%). Organisations also highlighted the role that data protection law plays in the adoption of technologies; 42% of organisations that considered but chose not to adopt technologies highlighted the effort required to understand compliance requirements and 23% reported legislative requirements as a factor for ultimately not using the technology.