New research: After 5 years, two thirds of IT chiefs believe the GDPR has reduced customer trust

CRAWLEY UK, May 25, 2023 – Five years after the GDPR came in, 66 per cent of UK IT leaders polled in a new survey say the regulation has made customers less willing to trust businesses with their personal information. 44 per cent believe the additional red tape created by the GDPR has hampered digital transformation for many enterprises and nearly one in five (18 per cent) is not confident that their organization is fully compliant.

 

62 per cent feel that processing data subject access requests and other GDPR queries takes up significant time and resources, and 72 per cent admit the switch to hybrid working has forced them to invest more resources in GDPR compliance. 

 

Looking to the future, 85 per cent of survey participants think it would be easier for UK businesses to stick with the GDPR rather than replacing it with the proposed new Data Protection and Digital Information Bill (DPDIB). However, 86 per cent believe the GDPR risks becoming irrelevant if it fails to keep pace with new AI technologies such as ChatGPT.

 

When asked if they were completely satisfied that the way they store, process and use personal information is now fully compliant with the GDPR, nearly one in five (18 per cent) of IT bosses either did not agree or didn’t know. 

 

The survey of 100 IT decision makers was commissioned by Macro 4 to mark the five-year anniversary of the GDPR (on May 25th, 2023). Here are five key findings from the research:

 

1.      The GDPR has made consumers more suspicious about the way their personal information is managed

66 per cent of IT leaders feel overall that the GDPR has made customers more aware of the need to protect their personal information – making them less willing to trust businesses with it. The regulation aims to give individuals more control over their data, with GDPR compliance providing an opportunity for firms to demonstrate transparency and build trust with customers. However, the research suggests that the regulation may have had the opposite effect when it comes to trust. 

Jim Allum, Director, Commercial and Technical at Macro 4, said, “Most IT leaders seem to feel that the regulations have made people more suspicious about how their data is being used. This is possibly because people are better informed now about how their data could be compromised or misused. Media headlines about major data privacy breaches and huge GDPR non-compliance fines leveled at well-known brands will have reinforced the overall lack of trust. All this means that organizations need to work harder than ever to demonstrate that they’re managing data within the rules.” 

2.      Hybrid working has forced more GDPR investment

72 per cent of IT decision makers in the survey said the switch to hybrid working, with increased access to personal information outside the workplace, has forced them to invest more resources into ensuring that they remain GDPR compliant.

One of the challenges of compliance is ensuring that personal data is shared in a controlled manner between authorized employees. There should be no risk of it being seen by anyone else. However, with more people working from home or outside the office, this becomes more difficult.

Organizations must not only provide the same level of data protection and security for employees who work from home as those on site, but also need to prevent people from taking shortcuts. Using email to share spreadsheets and other documents that contain personal information may seem easy and quick, but it increases the risk of sensitive data ending up in the wrong hands. 

“It’s important that you have processes and systems to make it easier to stick to the rules,” said Jim Allum. “For example, you email someone a link, but they then log into a secure system for sharing and accessing content in a GDPR-compliant way – with tight access controls, redaction and an audit trail to prove that information has been kept secure.” 

“This kind of capability is becoming even more important as the switch to hybrid working has also accelerated the shift from paper to digital. For example, HR departments that previously kept sensitive information under lock and key are now accessing it from home, and employees may need access too.”

3.      The Data Protection and Digital Information Bill makes IT leaders nervous 

85 per cent of IT leaders feel it would be easier if the UK stayed with the data privacy requirements enshrined in the GDPR, rather than create a separate set of post-Brexit regulations under the proposed Data Protection and Digital Information Bill (DPDIB). Among technology bosses working in the biggest organizations (those with over 3,000 employees) this goes up to 89 per cent.

“There’s still a lot of complexity around compliance and also unanswered questions about what will happen in practical terms if the new bill comes into force,” said Jim Allum. “Businesses that operate in both the UK and EU may fear that they’ll end up having to comply with two separate sets of compliance standards. They could be thinking, ‘It’s better the devil you know’.”

4.      The GDPR must be updated to keep pace with AI  

86 per cent of IT leaders believe the GDPR will need to be updated to keep pace with new AI technologies such as ChatGPT, or risk becoming irrelevant. Generative AI technology has taken the business world by storm and companies are rushing to adopt it before their competitors, for fear of missing out. 

“However, there’s a risk that businesses can compromise GDPR compliance by unwittingly exposing personal information while using AI,” said Jim Allum. “Data privacy regulators need to take the lead on setting out rules and guidance about how AI is used.” 

5.      The  GDPR soaks up IT resources and hampers digital transformation

44 per cent of IT leaders agree that additional red tape from the GDPR has hampered digital transformation and 62 per cent feel that processing data subject access requests and other GDPR queries takes up significant time and resources. This is despite 83 per cent of technology leaders saying that they have robust processes in place to handle GDPR customer requests. 

Jim Allum from Macro 4 said, “The findings imply that while most companies do have processes in place for processing GDPR customer queries, those processes are not always automated and may require manual intervention. In particular, while it may be relatively easy to access personal information from core systems, unstructured data held outside of databases – for example in customer emails, social media interactions or voice recordings – is harder to classify and locate.”

What 100 IT leaders say about the GDPR 5 years on (overview of survey findings)

We are completely satisfied that the way we store, process and use personal information is now fully compliant with the GDPR
Agree 82% | Disagree 13% | Don’t Know 5%

We are completely satisfied that the way we store, process and use personal information is now fully compliant with the GDPR 
Agree 82% | Disagree 13% | Don't know 5%

We have robust processes in place to handle customer requests under the GDPR such as data subject access requests and removal of personal data
Agree 83% | Disagree 15% | Don't know 2%

Processing data subject access requests and other GDPR queries takes up significant time and resources
Agree 62% | Disagree 30% | Don't know 8%

The switch to hybrid working, with increased access to personal information outside the workplace, has forced us to invest more resources to ensure we remain GDPR compliant
Agree 72% | Disagree 24% | Don't know 4%

The additional red tape created by the GDPR has hampered digital transformation for many enterprises
Agree 44% | Disagree 49% | Don't know 7%

The overall effect of the GDPR is that customers are more aware of the need to protect their personal information, making them less willing to trust businesses with it 
Agree 66% | Disagree 27% | Don't know 7%

It would be easier for businesses if the UK stayed with the data privacy requirements enshrined in the GDPR, rather than create a separate set of post-Brexit regulations under the proposed Data Protection and Digital Information Bill
Agree 85% | Disagree 13% | Don't know 2%

The GDPR will need to be updated to keep pace with new AI technologies such as ChatGPT, or risk becoming irrelevant 
Agree 86% | Disagree 11% | Don't know 3%