Table of Links
Abstract and 1. Introduction
-
Background to the GDPR
-
Literature Review
3.1 Consumer awareness and knowledge of the regulation
3.2 Consumer awareness and knowledge of the regulator
3.3 Consumer perceptions of privacy
3.4 Business response to Data Protection regulation
3.5 Employee awareness of their employer’s Data Protection regulator
3.6 Employee perception of benefit of the GDPR to their employer
3.7 The research goal is the consumer/employee perception of the GDPR
3.8 Summary
-
Methods
4.1 Design
4.2 Data Analysis and 4.3 Ethical considerations
-
Analysis and Results
5.1 Background demographics and 5.2 Hypothesis 1: Consumers are aware and knowledgeable about the GDPR
5.3 Hypothesis 2: Consumers lack awareness and knowledge about the regulator
5.4 Hypothesis 3: Consumers feel their privacy is better since GDPR was introduced
5.5 Hypothesis 4: Companies have responded to GDPR and made changes
5.6 Hypothesis 5: Employees lack awareness of the GDPR regulator at work
5.7 Hypothesis 6: Employees have seen little benefits to their company from GDPR
5.8 Research question: GDPR: Is it worth it? and 5.9 A regression model based on the dual professional-consumer perspective
-
Discussion and 6.1 High consumer awareness and knowledge of the GDPR
6.2 Respondents lacked a formed opinion and 6.3 GDPR has driven changes
6.4 Perceptions of privacy have improved and 6.5 The profile of the regulator may not matter
6.6 Regulator Enforcer and 6.7 GDPR is worth it if…
6.8 Implications
6.9 Limitations and future work
-
Conclusion, Funding and Disclosure Statement, and References
A. Table of Survey Responses
B. Regression Analysis
C. Survey
6 DISCUSSION
This research examined the informed individual’s perception of the GDPR. This is important because we can gauge buy-in and learn what works when considering new privacy regulations. Several high-level themes can be drawn from the results:
6.1 High consumer awareness and knowledge of the GDPR
The H1 results reveal a strong awareness of GDPR among participants, with 93% acknowledging it in the phase #2 survey, a marked improvement over previous EU surveys. Our research tallies with the literature that people learn about GDPR from news, employer training, and cookie consent notices. Departments like HR, IT, Marketing, and Legal exhibit higher awareness than others, possibly due to its greater impact on their work.
While participants aren’t spontaneously confident about their GDPR rights, they recognize consumer rights when prompted. Notably, they understand the right to be informed and the right to request data copies. They are less confident recognising fabricated rights—registering high unsure scores—but that is probably the right reaction. Equally, while participants aren’t spontaneously confident about their employer’s GDPR compliance obligations, they scored high overall, with the exception of the national security exemption, which is hardly common knowledge.
6.2 Respondents lacked a formed opinion
The sequencing of the questions was designed to avoid bias before posing the central research question: ‘Is GDPR worth it?’ Initially, respondents were hazy about GDPR and its impact on their job. However, once prompted with specific questions about GDPR, the regulator, and observed repercussions at work, they finished the survey with a positive evaluation of GDPR. We speculate participants may default to imprecise gut feelings unless prompted to consider its specific benefits and drawbacks. Future data protection surveys may improve response quality by giving participants the space to develop an opinion.
6.3 GDPR has driven changes
The results from H4 prove people have seen changes at work. This shows the GDPR is working. We can be confident the answers are ‘solid’ because they are very similar to the answers they gave to the same questions two months beforehand in the phase 2 pilot. In particular, they have observed how personal data is handled more carefully, and they have received regular training on the risk of fines due to data misuse or data breaches. More generally, they agreed more than disagreed with all the prompted observed changes. The change that received the highest uncertain score was ‘My company collects less personal data than before’, but even then, more people agreed than disagreed.
People recognise the upsides (improved data security) and downsides (bureaucracy, time, cost) of these GDPR-driven changes for their employers and for them personally. This latter point regarding cybersecurity tallies with earlier research. However, we bring an original contribution behind how our participants evaluate this. For their employer, people think better information security means less chance of fines. We speculate they may translate this as better job security for themselves. For the employee, better information security makes them feel their own data is handled more carefully by their own employer. We speculate they may project this expectation onto other companies.
