Table of Links
Abstract and 1. Introduction
-
Background to the GDPR
-
Literature Review
3.1 Consumer awareness and knowledge of the regulation
3.2 Consumer awareness and knowledge of the regulator
3.3 Consumer perceptions of privacy
3.4 Business response to Data Protection regulation
3.5 Employee awareness of their employer’s Data Protection regulator
3.6 Employee perception of benefit of the GDPR to their employer
3.7 The research goal is the consumer/employee perception of the GDPR
3.8 Summary
-
Methods
4.1 Design
4.2 Data Analysis and 4.3 Ethical considerations
-
Analysis and Results
5.1 Background demographics and 5.2 Hypothesis 1: Consumers are aware and knowledgeable about the GDPR
5.3 Hypothesis 2: Consumers lack awareness and knowledge about the regulator
5.4 Hypothesis 3: Consumers feel their privacy is better since GDPR was introduced
5.5 Hypothesis 4: Companies have responded to GDPR and made changes
5.6 Hypothesis 5: Employees lack awareness of the GDPR regulator at work
5.7 Hypothesis 6: Employees have seen little benefits to their company from GDPR
5.8 Research question: GDPR: Is it worth it? and 5.9 A regression model based on the dual professional-consumer perspective
-
Discussion and 6.1 High consumer awareness and knowledge of the GDPR
6.2 Respondents lacked a formed opinion and 6.3 GDPR has driven changes
6.4 Perceptions of privacy have improved and 6.5 The profile of the regulator may not matter
6.6 Regulator Enforcer and 6.7 GDPR is worth it if…
6.8 Implications
6.9 Limitations and future work
-
Conclusion, Funding and Disclosure Statement, and References
A. Table of Survey Responses
B. Regression Analysis
C. Survey
5.5 Hypothesis 4: Companies have responded to GDPR and made changes
Respondents were presented with seven statements under the question ‘Which of the following are rules that a company must
comply with when handling personal data under GDPR?’ and asked to answer yes, no or unsure. See Table 4 for the results.
We conducted two sets of multiple-comparison adjusted chisquared tests. The first tested whether responses (Yes/ Unsure/No) could be randomly distributed. This was rejected with p < 0.001 for all statements. The second set focused on Yes/Unsure responses, and again, all are statistically significantly different from random apart from ‘Must be made available to national security if asked’, which has 𝑝 = 0.2. Participants score high on knowledge of individual company obligations, with some uncertainty regarding the national security exemption.
Respondents were offered 10 statements on how their employer company had responded to the GDPR. Table 11 in the appendix shows the results. Six of these were also asked in the shorter pilot.
Finally, we compared the scores from the phase 2 pilot and the main study. Figure 5 shows a violin plot of the absolute difference in Likert response scores for questions asked in both studies. Wilcoxon signed-rank tests reveal no significant differences (𝑝 < .01) in participants’ responses across repeated questions in the main survey, conducted 8 weeks later. The non-absolute average, with a mean of 0.09, indicated a minimal change in the time between the pilot and the main study. Overall, people’s perceptions of changes in their company have remained remarkably stable.
We conclude our sample believes their employers have responded to the GDPR and observed changes. While they may lack confidence that they know GDPR compliance requirements in theory, their high correct scores on specific questions demonstrate knowledge in practice.
5.6 Hypothesis 5: Employees lack awareness of the GDPR regulator at work
After ensuring participants knew that the ICO was the UK GDPR regulator, participants were asked to respond to three statements regarding the visibility, reputation and punitive powers of the ICO in their workplace. Table 5 shows the questions and results.
The survey shows that the ICO is not a topic of conversation in the office; people have no opinion about its reputation, but they are aware their employer is liable to fines for data misuse or data breaches. We calculated a composite score for Hypothesis 5 by weighting each individual’s response from -3 through to +3 depending on where the answer sat on the Likert scale and averaging it over the three questions. The mean is −0.23 with a standard deviation of 1.41. We cannot reject the null hypothesis that this distribution is drawn from a Normal distribution with mean 0 (one sample t-test with statistic= −1.61, 𝑝 = 0.11). It is possible that participants were answering randomly to this question. We concluded that employee awareness of the GDPR regulator in the office is mixed at best.
