As 25 May 2018 approached, many of us may have felt that GDPR had been sent to test our patience and fill our inboxes. Many working in Big Data and tech, however, saw the onset of GDPR as an important step in restoring trust in a sector that badly needed it. The thinking was that the more transparency that could be offered to the public on how their data was being used, the more they might trust the companies using that data. Now that some time has passed since GDPR launched, it is a good opportunity to take stock of the situation.
Firstly, awareness of GDPR is high. Our research conducted in October 2018, not quite seven months after GDPR launched, shows that 83% of the British public have heard of it. This will be of no great surprise given the media furore, seemingly endless emails, website redesigns and the changes most workplaces have gone through. More positive, however, is that it seems that the public are also aware of some the core principles behind GDPR – clear majorities agree that they understand they have the right to see what data a company holds on them and can request its deletion should they so desire. Fewer (although nearly half of the public) understand that their data is being encrypted.
Positively, two fifths of the public say that, because of GDPR, they are more confident that the companies who hold their data will keep it safe, and over half agree that they are now better able to control how their personal data is collected and used. While we all know that self-reported awareness is one thing, and actual behaviour change is another, a positive picture is being formed here of a UK population much better aware of their own digital rights, and what expectations they should have on what companies and organisations should be doing with their data.
The problem is that, while individuals may know more about their own rights, trust in both the public and private sector on data protection and privacy is still low, and really emphasises the scale of the problem that those optimists thought GDPR might start to fix. Only the NHS and the banking sector are constantly more trusted than distrusted when it comes to the finer details of collecting, using and protecting personal information. Even the NHS, that widely loved institution we implicitly trust with our lives, is not trusted on data issues by more than half of the British public. (Perhaps because in 2017 we saw massive coverage of the NHS computer system hack closing surgeries.) This is an alarming finding for anyone hoping GDPR is going to fix how the tech sector, for instance, is seen.
For other sectors the picture is far from positive – and this cannot be much of a surprise to anyone. The optimists will point to the fact that large portions of the public, up to half in some cases, are neutral or unable to answer the questions, and that levels of actual distrust are low. On the flip side, however, no more than a third express trust in the tech sector, the supermarkets, their local council or the government to be transparent about data use, seek consent on data collection or manage data in the interests of the user.
What does this mean? The obvious answer, and one that was predictable, is that GDPR has failed to make as much of an impact on how much the public trust the organisations and industry sectors that use our data most frequently and on the largest scale. What GDPR may have done however, and the evidence will start to accrue more over the coming months and years, is to educate the public about their legal rights over their own data, and provide a greater understanding of how data should be collected, used and stored. Any company or organisation that fails to meet these changing circumstances will find themselves in trouble, but those that realise it and act soon will find that doing so will do more for their trust scores, and their businesses more widely, than simply following regulation could ever have done.