Table of Links
Abstract and 1. Introduction
-
Background to the GDPR
-
Literature Review
3.1 Consumer awareness and knowledge of the regulation
3.2 Consumer awareness and knowledge of the regulator
3.3 Consumer perceptions of privacy
3.4 Business response to Data Protection regulation
3.5 Employee awareness of their employer’s Data Protection regulator
3.6 Employee perception of benefit of the GDPR to their employer
3.7 The research goal is the consumer/employee perception of the GDPR
3.8 Summary
-
Methods
4.1 Design
4.2 Data Analysis and 4.3 Ethical considerations
-
Analysis and Results
5.1 Background demographics and 5.2 Hypothesis 1: Consumers are aware and knowledgeable about the GDPR
5.3 Hypothesis 2: Consumers lack awareness and knowledge about the regulator
5.4 Hypothesis 3: Consumers feel their privacy is better since GDPR was introduced
5.5 Hypothesis 4: Companies have responded to GDPR and made changes
5.6 Hypothesis 5: Employees lack awareness of the GDPR regulator at work
5.7 Hypothesis 6: Employees have seen little benefits to their company from GDPR
5.8 Research question: GDPR: Is it worth it? and 5.9 A regression model based on the dual professional-consumer perspective
-
Discussion and 6.1 High consumer awareness and knowledge of the GDPR
6.2 Respondents lacked a formed opinion and 6.3 GDPR has driven changes
6.4 Perceptions of privacy have improved and 6.5 The profile of the regulator may not matter
6.6 Regulator Enforcer and 6.7 GDPR is worth it if…
6.8 Implications
6.9 Limitations and future work
-
Conclusion, Funding and Disclosure Statement, and References
A. Table of Survey Responses
B. Regression Analysis
C. Survey
6.4 Perceptions of privacy have improved
The results for H3 show people feel their privacy is better since the introduction of the GDPR in 2018. This is an important and positive finding since comparative empirical surveys are sparse. The ICO surveys annual changes in trust and confidence scores rather than privacy per se. Other perception research looks at control [39], choice and risk perceptions [8].
6.5 The profile of the regulator may not matter
The results for H2 & H5 show people are not very familiar with the ICO as consumers or as employees. It registers modest name recognition. That said, ICO awareness has improved since the EU Eurobarometer survey in 2019. Back then, only 21% of the UK knew its identity, whereas 38% recognised the ICO in phase #2. People believe its role is twofold—to monitor compliance, including data security and data misuse, and to issue fines. This matches some of the ICO mission statements. People see the ICO as more companyfacing and less consumer-facing. This may not matter since the ICO achieves its objectives via controls through companies. If the people that matter, i.e. DPOs and senior management, rather than ordinary employees are aware of the ICO, then it may not hinder its effectiveness.
6.6 Regulator = Enforcer
People’s expectation of enforcement is complex. Unlike the enforcer to advisor spectrum outlined in the literature review, the general population have firm expectations of their regulator as an aggressive compliance-led defender of their rights rather than an advice-led consultant to them and their employers. They see the regulator as there to punish and fine non-compliant businesses. However, half of them cannot remember any company being fined. Of the half that could, half could not remember the names of the culprits—so how important are fines really to their perception of the regulator and the regulation? Our regression analysis suggests that people are most likely to believe companies are scared of GDPR fines if they feel privacy has improved because they have observed changes in their own employer and are aware of the compliance obligations of companies.
6.7 GDPR is worth it if…
Our regression analysis suggests the following mental models at play: People believe the GDPR is worth it because they feel their privacy is better since the GDPR was introduced. People are most likely to say this if they are confident they know their consumer rights, know the regulator’s powers and have observed first-hand the mix of positive and negative changes at work.
People are most likely to think the GDPR is good for their company and not too much hassle if they have seen more positive and fewer negative changes to it and, curiously, are not too knowledgeable of the role of the regulator and the compliance obligations. A sort of goldilocks situation [51]: they see more positive than negative changes and don’t regard the regulator as too powerful or demanding.
6.8 Implications
We examine the implications of these themes across theoretical, managerial, and policymaker/regulator levels.
Theoretically, we question the sustainability of GDPR-inspired changes observed in this study. Will there be compliance decay over time, considering the competition for business focus from newer regulations? The GDPR benefited from massive publicity at launch, but that was five years ago. There are grounds for hope. Recent experiences suggest that EU data regulation often reinforces compliance in other areas, potentially mitigating decay. Additionally, new data protection regulations overseas, inspired by the GDPR, may reinvigorate its relevance.
At a managerial level, our research suggests that constant awareness and knowledge training of the GDPR can lead to unforeseen effects. Raised expectations among employees for high data hygiene practices from their employers may drive companies to promote their GDPR credentials in order to reassure staff and customers and foster trust in their brand.
Our research also prompts consideration of the optimum positioning for a regulator. If the ICO’s focus is primarily on corporate compliance rather than consumer protection, this has implications for policymakers. For instance, should the UK government direct the ICO to issue more fines to reinforce their deterrent effect on corporates?
The positive perception of the GDPR among those who comply and implement it suggests valuable lessons for future policymaking. Incorporating early feedback and buy-in from a dual professional consumer sample population may enhance the development of new regulations in this field.
6.9 Limitations and future work
Although the UK GDPR is virtually identical to the EU GDPR, the findings from a UK-only sample may not be applicable to other EU countries, especially regarding regulator-specific results due to differences in national regulator competencies and resources. As we wanted to ensure non-identifiable responses, we cannot estimate the diversity of companies studied, and there may have been multiple responses from single companies. By expanding the sample size, future work could investigate if participants’ views are influenced or different based on their industry sector or country regulator. Just before submission, the ICO published a survey with a larger sample size than ours, corroborating our findings with regard to comparable questions. Another research path would be to explore how new complementary data-related regulations reinforce each other and influence consumer perceptions.
