and the distribution of digital products.
Why UK Employees and Citizens Back GDPR
Literature Review
3.1 Consumer awareness and knowledge of the regulation
3.2 Consumer awareness and knowledge of the regulator
3.3 Consumer perceptions of privacy
3.4 Business response to Data Protection regulation
3.5 Employee awareness of their employer’s Data Protection regulator
3.6 Employee perception of benefit of the GDPR to their employer
3.7 The research goal is the consumer/employee perception of the GDPR
Methods
Analysis and Results
5.3 Hypothesis 2: Consumers lack awareness and knowledge about the regulator
5.4 Hypothesis 3: Consumers feel their privacy is better since GDPR was introduced
5.5 Hypothesis 4: Companies have responded to GDPR and made changes
5.6 Hypothesis 5: Employees lack awareness of the GDPR regulator at work
5.7 Hypothesis 6: Employees have seen little benefits to their company from GDPR
Discussion and 6.1 High consumer awareness and knowledge of the GDPR
6.2 Respondents lacked a formed opinion and 6.3 GDPR has driven changes
6.4 Perceptions of privacy have improved and 6.5 The profile of the regulator may not matter
Conclusion, Funding and Disclosure Statement, and References
In the UK, GDPR awareness is high, and consumers understand their rights. They perceive improved data protection and personal data control since the introduction of the GDPR. While the regulator’s identity awareness is lower, participants recognize its role in upholding rights and imposing fines. This may become a point of dissatisfaction in the long term, as participants struggled to recall companies that had actually been fined.
\ Interestingly, employees view GDPR as good for their companies because it protects customer data and their personal data. Despite recognizing the overheads (people, process, and technical), they believe GDPR clarifies compliance requirements on their employer and what it has to do to avoid being fined. They appreciate that their employers (and, by extension, other companies) must be more conscientious in handling and securing personal data. In summary, while GDPR may be viewed as an imposition, participants still think it is worth it. These insights have important implications for policymakers and regulators who may wish to emulate this public support for future regulation roll-outs.
FUNDING AND DISCLOSURE STATEMENTGerard Buckley is supported by UK EPSRC grant no. EP/S022503/1. Ingolf Becker is supported by UK EPSRC grant no. EP/W032368/1. The authors report there are no competing interests to declare.
A TABLES OF SURVEY RESPONSES\
\
\
\
\
\
\
\
\
\
\
\
\
\
B REGRESSION ANALYSIS\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
REFERENCES[1] Alessandro Acquisti, Laura Brandimarte, and George Loewenstein. 2015. Privacy and human behavior in the age of information. Science 347, 6221 (2015), 509–514. https://doi.org/10.1126/science.aaa1465
\ [2] Alessandro Acquisti and Jens Grossklags. 2005. Privacy and rationality in individual decision making. IEEE Security Privacy 3, 1 (2005), 26–33. https: //doi.org/10.1109/MSP.2005.22
\ [3] Alessandro Acquisti, Leslie K. John, and George Loewenstein. 2013. What Is Privacy Worth? The Journal of Legal Studies 42, 2 (2013), 249–274. https: //doi.org/10.1086/671754
\ [4] Alessandro Acquisti, Curtis Taylor, and Liad Wagman. 2016. The Economics of Privacy. Journal of Economic Literature 54, 2 (2016), 442–492. https://doi.org/10. 1257/jel.54.2.442
\ [5] Gonçalo Almeida Teixeira, Miguel Mira da Silva, and Ruben Pereira. 2019. The critical success factors of GDPR implementation: a systematic literature review. Digital Policy, Regulation and Governance 21, 4 (2019), 402–418. https://doi.org/ 10.1108/DPRG-01-2019-0007 Publisher: Emerald Publishing Limited.
\ [6] David Barnard-Wills, Leanne Cochrane, Mr Kai Matturi, and Filippo Marchetti. 2019. Report on the SME experience of the GDPR Version 1.0. Trilateral Research (2019). https://trilateralresearch.com/wp-content/uploads/2020/01/STAR-IID2.2-SMEs-experience-with-the-GDPR-v1.0-.pdf
\ [7] Belgian DPA. 2021. The Belgian DPA publishes its annual report 2020 | Autorité de protection des données. Technical Report. https://www.dataprotectionauthority. be/the-belgian-dpa-publishes-its-2020-annual-report
\ [8] R. Bornschein, L. Schmidt, and E. Maier. 2020. The Effect of Consumers’ Perceived Power and Risk in Digital Information Privacy: The Example of Cookie Notices. Journal of Public Policy and Marketing 39, 2 (2020), 135–154. https://doi.org/10. 1177/0743915620902143
\ [9] Virginia Braun and Victoria Clarke. 2006. Using thematic analysis in psychology. Qualitative Research in Psychology 3, 2 (2006), 77–101. https://doi.org/10.1191/ 1478088706qp063oa
\ [10] Gerard Buckley, Tristan Caulfield, and Ingolf Becker. 2022. “It May Be a Pain in the Backside but…” Insights into the Resilience of Business after GDPR. In Proceedings of the 2022 New Security Paradigms Workshop (North Conway, NH, USA) (NSPW ’22). Association for Computing Machinery, New York, NY, USA, 21–34. https://doi.org/10.1145/3584318.3584320
\ [11] Emmeline de Chazal. 2023. 20 Biggest GDPR Fines of 2018, 2019, 2020, 2021 & 2022. https://www.skillcast.com/blog/20-biggest-gdpr-fines
\ [12] Leanne Cochrane, Lina Jasmontaite-Zaniewicz, and David Barnard-Wills. 2020. ˙ Data Protection Authorities and their Awareness-raising Duties under the GDPR: The Case for Engaging Umbrella Organisations to Disseminate Guidance for Small and Medium-size Enterprises. European Data Protection Law Review 6, 3 (2020), 352–364. https://doi.org/10.21552/edpl/2020/3/6
\ [13] Cary Coglianese. 2012. Measuring Regulatory Performance: Evaluating the impact of regulation and regulatory policy. Technical Report. https://www.oecd.org/ regreform/regulatory-policy/1_coglianese%20web.pdf
\ [14] Cornell Law school. 2022. Privacy. https://www.law.cornell.edu/wex/privacy
\ [15] Dataguard. 2022. Data Protection Officer salary: costs for an external or internal DPO. https://www.dataguard.co.uk/blog/data-protection-officer-salary-costsfor-an-external-or-internal-dpo
\ [16] Deloitte. 2018. A new era for privacy: GDPR six months on. Technical Report. https://www2.deloitte.com/content/dam/Deloitte/uk/Documents/risk/ deloitte-uk-risk-gdpr-six-months-on.pdf
\ [17] DLA Piper. 2022. DLA Piper GDPR fines and data breach survey: January 2022 | Insights | DLA Piper Global Law Firm. Technical Report. https://www.dlapiper.com/en/uk/insights/publications/2022/1/dla-pipergdpr-fines-and-data-breach-survey-2022/
\ [18] ECHR. 2021. Guide on Article 8 of the European Convention on Human Rights. https://www.echr.coe.int/documents/guideart8_eng.pdf
\ [19] Estelle Masse. 2021. Three Years Under GDPR. Technical Report. Access Now. https://www.accessnow.org/cms/assets/uploads/2021/05/Three-YearsUnder-GDPR-report.pdf
\ [20] European Commission. 2021. Commission adopts adequacy decisions for the UK. https://ec.europa.eu/commission/presscorner/detail/en/ip213183
\ [21] European Commission, Directorate-General for Justice and Consumers. 2019. The General Data Protection Regulation: report. Technical Report. Publications Office, LU. https://data.europa.eu/doi/10.2838/43726
\ [22] Adrian Ford, Ameer Al-Nemrat, Seyed Ali Ghorashi, and Julia Davidson. 2021. The Impact of GDPR Infringement Fines on the Market Value of Firms. In European Conference on Cyber Warfare and Security. Academic Conferences International Limited, Reading, United Kingdom, 473–481,XI. https://doi.org/10. 34190/EWS.21.088 Num Pages: 473-481,XI.
\ [23] GDPR.EU. 2018. What are the GDPR Fines? https://gdpr.eu/fines/
\ [24] Hazel Grant and Hannah Crowther. 2016. How Effective Are Fines in Enforcing Privacy? In Enforcing Privacy: Regulatory, Legal and Technological Approaches, David Wright and Paul De Hert (Eds.). Springer International Publishing, 287–305. https://doi.org/10.1007/978-3-319-25047-2_13
\ [25] Hielke Hijmans. 2018. How to Enforce the GDPR in a Strategic, Consistent and Ethical Manner Discussion. European Data Protection Law Review (EDPL) 4 (2018), 80–84. https://doi.org/10.21552/edpl/2018/1/10
\ [26] Christopher Hodges. 2018. Delivering Data Protection: Trust and Ethical Culture Discussion. European Data Protection Law Review (EDPL) 4, 1 (2018), 65–79. https://doi.org/10.21552/edpl/2018/1/9
\ [27] Chris Jay Hoofnagle, Bart van der Sloot, and Frederik Zuiderveen Borgesius. 2019. The European Union general data protection regulation: what it is and what it means. Information & Communications Technology Law 28, 1 (2019), 65–98. https://doi.org/10.1080/13600834.2019.1573501
\ [28] ICO. 2018. Data protection. https://www.gov.uk/data-protection
\ [29] ICO. 2018. Preparing for the law enforcement requirements (part 3) of the Data Protection Act 2018: 12 steps to take now. https://ico.org.uk/media/fororganisations/documents/2014918/dp-act-12-steps-infographic.pdf
\ [30] Information Commissioner’s Office. 2021. Information Commissioner’s Annual Report and Financial Statements 2020-21. https://ico.org.uk/media/about-theico/documents/2620166/hc-354-information-commissioners-ara-2020-21.pdf
\ [31] Intersoft Consulting. 2018. General Data Protection Regulation (GDPR) – Official Legal Text. https://gdpr-info.eu/
\ [32] Lina Jasmontaite-Zaniewicz, Alessandra Calvi, Renáta Nagy, and David Barnard- ˙ Wills (Eds.). 2021. The GDPR made simple(r) for SMEs. ASP editions - Academic and Scientific Publishers. https://doi.org/10.46944/9789461171092
\ [33] Garrett Johnson. 2022. Economic Research on Privacy Regulation: Lessons from the GDPR and Beyond. NBER working paper series (2022). https://www.nber. org/papers/w30705
\ [34] Ponnurangam Kumaraguru and Lorrie Faith Cranor. 2005. Privacy Indexes: A Survey of Westin’s Studies. Technical Report. Carnegie Mellon University. http://reports-archive.adm.cs.cmu.edu/anon/anon/home/ftp/usr0/ftp/ isri2005/CMU-ISRI-05-138.pdf
\ [35] A. Larsson and P. Lilja. 2019. GDPR: What are the risks and who benefits? In The Digital Transformation of Labor (Open Access): Automation, the Gig Economy and Welfare. 187–199. https://doi.org/10.4324/9780429317866-11
\ [36] Midas Nouwens, Ilaria Liccardi, Michael Veale, David Karger, and Lalana Kagal. 2020. Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems (CHI ’20). Association for Computing Machinery, New York, NY, USA, 1–13. https://doi.org/10.1145/3313831.3376321
\ [37] Nazar Poritskiy, Flávio Oliveira, and Fernando Almeida. 2019. The benefits and challenges of general data protection regulation for the information technology sector. Digital Policy, Regulation and Governance 21, 5 (2019). https://doi.org/10. 1108/DPRG-05-2019-0039
\ [38] Wanda Presthus and Hanne Sørum. 2019. Consumer perspectives on information privacy following the implementation of the GDPR. JISPM - International Journal of Information Systems and Project Management 7 (2019), 19–34. https://doi.org/ 10.12821/ijispm070302
\ [39] Wanda Presthus and Hanne Sørum. 2021. A three-year study of the GDPR and the consumer. In 14th IADIS International Conference Information Systems 2021. https://web.archive.org/web/20220206050656id/http://www.iadisportal. org/components/combooklibrary/ebooks/202103L019.pdf
\ [40] Vernon J. Richardson, Rodney E. Smith, and Marcia Weidenmier Watson. 2019. Much Ado about Nothing: The (Lack of) Economic Impact of Data Privacy Breaches. Journal of Information Systems 33, 3 (2019), 227–265. https://doi.org/ 10.2308/isys-52379
\ [41] Anastasia Romanowicz and Cindy Heiser. 2019. GDPR One Year On: Survey Findings Show Consumer Awareness with Data Use is Concerningly Low: - A staggering eight percent of consumers globally feel they have a better understanding of how companies use their data since GDPR’s introduction. PR Newswire (2019). http://www.proquest.com/central/docview/2229030700/citation/ 1A2AC7208F8D4253PQ/1 Publisher: PR Newswire Association LLC.
\ [42] Razvan Rughinis, Cosima Rughinis, Simona Nicoleta Vulpe, and Daniel Rosner. 2021. From social netizens to data citizens: variations of GDPR awareness in 28 European countries. Technical Report 109117. University Library of Munich, Germany. https://ideas.repec.org/p/pra/mprapa/109117.html Publication Title: MPRA Paper.
\ [43] Johnny Ryan and Alan Toner. 2020. New data on GDPR enforcement agencies reveal why the GDPR is failing. Technical Report. Brave. https://brave.com/dpareport-2020/
\ [44] Georgios Spanos and Lefteris Angelis. 2016. The impact of information security events to the stock market. Computers and Security 58, C (2016), 216–229. https: //doi.org/10.1016/j.cose.2015.12.006
\ [45] Joanna Strycharz, Jef Ausloos, and Natali Helberger. 2020. Data Protection or Data Frustration? Individual Perceptions and Attitudes towards the GDPR. European Data Protection Law Review (EDPL) 6, 3 (2020), 407–421. https://doi. org/10.21552/edpl/2020/3/10
\ [46] The Environment Agency. 2011. Effectiveness of Regulation: Literature Review and Analysis. Technical Report. https://assets.publishing.service.gov.uk/government/ uploads/system/uploads/attachment_data/file/290502/scho0911bubh-e-e.pdf
\ [47] C. Tikkinen-Piri, A. Rohunen, and J. Markkula. 2018. EU General Data Protection Regulation: Changes and implications for personal data collecting companies. Computer Law and Security Review 34, 1 (2018), 134–153. https://doi.org/10. 1016/j.clsr.2017.05.015
\ [48] US Supreme Court. 1965. Estelle T. GRISWOLD et al. Appellants, v. STATE OF CONNECTICUT. https://www.law.cornell.edu/supremecourt/text/381/479
\ [49] Siddharth Venkataramakrishnan. 2021. GDPR fines jump as EU regulators raise pressure on business. Financial Times (2021). https://www.ft.com/content/ 20b9430e-9058-4d7f-b953-d5d178def3c5
\ [50] Paul Voigt and Axel von dem Bussche. 2017. The EU General Data Protection Regulation (GDPR): A Practical Guide. Springer.
\ [51] Wikipedia. 2023. Goldilocks principle. Wikipedia (2023). https://en.wikipedia. org/w/index.php?title=Goldilocks_principle&oldid=1120728290 Page Version ID: 1120728290.
\ [52] Michael Williams and Tami Moser. 2019. The Art of Coding and Thematic Exploration in Qualitative Research. International Management Review 15, 1 (2019), 45–55,71–72. http://www.imrjournal.org/uploads/1/4/2/8/14286482/imrv15n1art4.pdf
\ [53] Josephine Wolff and Nicole Atallah. 2020. Early GDPR Penalties: Analysis of Implementation and Fines Through May 2020. https://doi.org/10.2139/ssrn. 3748837
\ [54] Michael Worledge and Mike Bamford. 2021. Information Rights Strategic Plan: Trust and Confidence. Commissioned Report. Information Commissioners Office. https://ico.org.uk/media/about-the-ico/documents/2620165/ico-trust-andconfidence-report-290621.pdf
\ [55] Jingjing Zhang, Farkhondeh Hassandoust, and Jocelyn Williams. 2020. Online Customer Trust in the Context of the General Data Protection Regulation (GDPR). Pacific Asia Journal of the Association for Information Systems 12, 1 (2020). https: //doi.org/10.17705/1pais.12104
\ [56] Shoshana Zuboff. 2019. Surveillance Capitalism and the Challenge of Collective Action. New Labor Forum 28, 1 (2019), 10–29. https://doi.org/10.1177/ 1095796018819461
\
:::info Authors:
(1) Gerard Buckley, University College London, UK ([email protected]);
(2) Tristan Caulfield, University College London, UK ([email protected]);
(3) Ingolf Becker, University College London, UK ([email protected]).
:::
:::info This paper is available on arxiv under CC BY 4.0 DEED license.
:::
\