Table of Links
Abstract and 1. Introduction
-
Background to the GDPR
-
Literature Review
3.1 Consumer awareness and knowledge of the regulation
3.2 Consumer awareness and knowledge of the regulator
3.3 Consumer perceptions of privacy
3.4 Business response to Data Protection regulation
3.5 Employee awareness of their employer’s Data Protection regulator
3.6 Employee perception of benefit of the GDPR to their employer
3.7 The research goal is the consumer/employee perception of the GDPR
3.8 Summary
-
Methods
4.1 Design
4.2 Data Analysis and 4.3 Ethical considerations
-
Analysis and Results
5.1 Background demographics and 5.2 Hypothesis 1: Consumers are aware and knowledgeable about the GDPR
5.3 Hypothesis 2: Consumers lack awareness and knowledge about the regulator
5.4 Hypothesis 3: Consumers feel their privacy is better since GDPR was introduced
5.5 Hypothesis 4: Companies have responded to GDPR and made changes
5.6 Hypothesis 5: Employees lack awareness of the GDPR regulator at work
5.7 Hypothesis 6: Employees have seen little benefits to their company from GDPR
5.8 Research question: GDPR: Is it worth it? and 5.9 A regression model based on the dual professional-consumer perspective
-
Discussion and 6.1 High consumer awareness and knowledge of the GDPR
6.2 Respondents lacked a formed opinion and 6.3 GDPR has driven changes
6.4 Perceptions of privacy have improved and 6.5 The profile of the regulator may not matter
6.6 Regulator Enforcer and 6.7 GDPR is worth it if…
6.8 Implications
6.9 Limitations and future work
-
Conclusion, Funding and Disclosure Statement, and References
A. Table of Survey Responses
B. Regression Analysis
C. Survey
5.7 Hypothesis 6: Employees have seen little benefits to their company from GDPR.
We analysed this question in three stages: First, we asked participants to what extent their job had changed due to the GDPR, followed by open questions about the advantages and disadvantages of the GDPR. Then, on the next page, participants were asked to what extent they agreed with eight impact statements about the GDPR, and finally, we asked them to judge if the GDPR was good for their company. All answers can be found in Table 6, and we will discuss each of the previous parts in turn next.
This even split contrasts strongly with the final statement, with almost no participant disagreeing that GDPR is good for their company. The ordering may have been a potential biasing factor and/or engaging in the exercise may have helped people to form a more concrete opinion (see also Section 6.2).
Through free-text responses, we explored the pros and cons further. First, respondents were asked to identify the biggest disadvantage for their company. Responses (full codebook in the appendix in Table 12) were categorized into five clusters: no observed disadvantage, increased bureaucratic processes, higher costs, constraints on customer data, and miscellaneous complaints. The most common response was no observed changes or disadvantages, with some attributing this to existing robust processes. The top themes included increased bureaucracy and paperwork, as well as more time-consuming processes. Respondents also mentioned ongoing compliance costs, staff training requirements, and constraints on data collection for marketing purposes as significant drawbacks. Other cited disadvantages included responding to freedom of information requests, internal information sharing difficulties, and uncertainty regarding inadvertent GDPR breaches.
Respondents were asked to identify the biggest advantage of the GDPR for their company. The responses (full codebook in the appendix in Table 10) can be categorized into three clusters: better data protection and security, clearer rules, and third, no discernible advantage to their company. Under data protection, respondents linked improved information security and enhanced trust in their company. This applied to client data and their own personal data held by their employer. Some cited transparency and compliance as enhancing their company’s brand. Clearer rules led to standardized processes, improved employee training, and better handling of personal data, potentially protecting the company from fines. Some respondents also noted benefits such as the GDPR incentivizing data upkeep, discarding out-of-date information and reducing storage costs.
We conclude people recognise the benefits to their companies but are not blind to the disbenefits of the GDPR.
5.8 Research question: GDPR: Is it worth it?
Participants were asked to respond to four statements about GDPR, including the central research question. The overwhelmingly positive responses can be seen in Table 7: it appears that when forced to recall and judge the positives and negatives of GPDR, they conclude that it is good not just for them, but also for their employer.
5.9 A regression model based on the dual professional-consumer perspective
Given the unique dual perspective of our participants, we explored potential dependencies between our hypotheses. Using 20-fold cross-validated step-wise linear regression models, we identified the smallest set of questions (or composite scores that represent our hypotheses) that maximize model explainability. Our analysis, conducted in Python using scipy and the statsmodels package, can be found in the online supplementary materials. The full regression tables are available in Appendix B. Based on this analysis, we propose a new model for understanding the perceptions and influences of the GDPR (Figure 6).
We found that consumers’ perception of improved privacy (measured through Hypothesis 3) is pivotal for our outcome variables. Several moderating factors influence this view: knowledge of the GDPR (Hypothesis 1), understanding regulator roles (Hypothesis
3), and observing positive impacts on their company due to the GDPR (Hypothesis 6). Our main research question, ‘Is GDPR worth it?’, is well-explained by a model based solely on ‘Consumer feels privacy is better,’ achieving an impressive 𝑅 2 = 0.687. Our participants recognize the impact of GDPR on their privacy and value it accordingly.
