Table of Links
-
Literature Review
3.1 Consumer awareness and knowledge of the regulation
3.2 Consumer awareness and knowledge of the regulator
3.3 Consumer perceptions of privacy
3.4 Business response to Data Protection regulation
3.5 Employee awareness of their employer’s Data Protection regulator
3.6 Employee perception of benefit of the GDPR to their employer
3.7 The research goal is the consumer/employee perception of the GDPR
-
Methods
-
Analysis and Results
5.3 Hypothesis 2: Consumers lack awareness and knowledge about the regulator
5.4 Hypothesis 3: Consumers feel their privacy is better since GDPR was introduced
5.5 Hypothesis 4: Companies have responded to GDPR and made changes
5.6 Hypothesis 5: Employees lack awareness of the GDPR regulator at work
5.7 Hypothesis 6: Employees have seen little benefits to their company from GDPR
-
Discussion and 6.1 High consumer awareness and knowledge of the GDPR
6.2 Respondents lacked a formed opinion and 6.3 GDPR has driven changes
6.4 Perceptions of privacy have improved and 6.5 The profile of the regulator may not matter
-
Conclusion, Funding and Disclosure Statement, and References
3.5 Employee awareness of their employer’s Data Protection regulator
It is reasonable to assume the in-house Data Protection Officer (DPO) will know the identity of their DPA since they will be required to communicate with it. However it is less clear if staff, in general, know their DPA and even more so if the DPO function is outsourced to an external provider, which is quite a common business practice for SMEs [15].
Under article 57.1 [31], DPAs also have a duty to engage in activities furthering ‘the awareness of controllers and processors of their obligations‘ i.e. the individuals and companies that handle personal data. Making companies aware of their responsibilities would seem obvious if they are expected to be held accountable for their actions. However, it is also the nexus of the two schools of enforcement which are (punitive) deterrence or (advisory) compliance.
Hodges 2018 asserts that DPA awareness is essential if it is to play a leadership role where the emphasis is on the expertise, authority and influence of the DPA. Hijmans 2018 partly agrees but argues that for enforcement of the regulatory framework to be successful, regulators should have sufficient resources and capability to issue strong sanctions. The GDPR includes both compliance and deterrence approaches.
Data on employee awareness of their employer’s GDPR regulator is inconclusive. Deloitte, the management consultancy, Deloitte 2018 found 57% of respondents indicated their organisations had received regulatory requests from their DPA. Later in the same year, STAR delivered a report to the EU that found ‘Most DPAs neither conduct specific research aimed at establishing levels of SME awareness nor general awareness of the GDPR’ [6].
If companies have invested in training, then employees should be familiar with at least the name of their company’s regulator and with the size of the fines their company could face. However, given the uncertainty, we hypothesise:
Hypothesis 5: Employees lack awareness of the GDPR regulator at work.
3.6 Employee perception of benefit of the GDPR to their employer
Literature on the benefits of the GDPR to business is somewhat limited. Studies focus on the technical, financial and human resources struggles that companies encounter in complying with the regulation [47]. Training employees is challenging, including even data scientists. Larsson and Lilja 2019 argue that the GDPR will provide some opportunities for other businesses, like legal experts, lawyers, consultants in digital strategy and professionals in analytics. Poritskiy et al. 2019 find the main benefits identified include increased confidence and legal clarification whilst the main challenges include the execution of audits to systems and processes and the application of the right to erasure.
Almeida Teixeira et al. [5], in their systematic literature review, find the literature reflects on benefits that organisations may achieve by implementing the GDPR including proper data management; use of data analytics; cost reduction; and increase in reputation and competitiveness. This review was conducted in 2019 and looked back at literature that is pre-GDPR mainly in practice.
More recently, Buckley et al. 2022 looked at the actual impact of the GDPR on companies after three years. They found that the GDPR had made companies more privacy-aware, spurred modernisation of their data processes and justified upgrade investments to their security infrastructure. At the same time, they found evidence that it had made new business development harder due to restrictions on requesting and holding personal data, increased direct and indirect compliance costs, left companies confused at times due to grey areas of law and exposed companies to burdensome subject access requests.
Many of these benefits and complications may be invisible or above the pay grade of employees which is why we hypothesise:
Hypothesis 6: Employees have seen little benefits to their company from GDPR
3.7 The research goal is the consumer/employee perception of the GDPR
Westin’s work on different attitudes to privacy [34] and, Acquisti’s studies 2015, 2005, 2013, 2016 on the economics of privacy help us to begin to understand how individuals rationalise the importance and effort they treat protecting their data. People instinctively know there are trade-offs.
With the shift to the internet and the datafication of society, it has created what Shoshanna Zuboff describes as ‘a wholly new subspecies of capitalism in which profit drove from the unilateral surveillance and modification of human behaviour’ 2019. Policymakers have struggled with finding the right balance between competing interests and the GDPR is their latest attempt at squaring the circle.
The purpose of the GDPR is to protect individuals and the data that describes them and to ensure the organisations that collect that data act responsibly. The respondents in our study have lived with the GDPR for four years and have seen it from the inside and outside. They have lived with the hassle of cookie consent notices as consumers and lived with knock-on effects at work. Knowing what they know, we ask the key research question: ‘do you think it is worth it?’
3.8 Summary
The literature review has revealed six hypotheses for study:
(1) Consumers are aware and knowledgeable about the GDPR.
(2) Consumers lack awareness and knowledge about the regulator.
(3) Consumers feel their privacy is better since GDPR was introduced.
(4) Companies have responded to GDPR and made changes.
(5) Employees lack awareness of the GDPR regulator at work.
(6) Employees have seen little benefits to their company from GDPR.
These allow us to study if individuals exposed to GDPR both as employees and as consumers think it is worth it.
Authors:
(1) Gerard Buckley, University College London, UK (gerard.buckley.18@ucl.ac.uk);
(2) Tristan Caulfield, University College London, UK (t.caulfield@ucl.ac.uk);
(3) Ingolf Becker, University College London, UK (i.becker@ucl.ac.uk).
This paper is