Table of Links
-
Literature Review
3.1 Consumer awareness and knowledge of the regulation
3.2 Consumer awareness and knowledge of the regulator
3.3 Consumer perceptions of privacy
3.4 Business response to Data Protection regulation
3.5 Employee awareness of their employer’s Data Protection regulator
3.6 Employee perception of benefit of the GDPR to their employer
3.7 The research goal is the consumer/employee perception of the GDPR
-
Methods
-
Analysis and Results
5.3 Hypothesis 2: Consumers lack awareness and knowledge about the regulator
5.4 Hypothesis 3: Consumers feel their privacy is better since GDPR was introduced
5.5 Hypothesis 4: Companies have responded to GDPR and made changes
5.6 Hypothesis 5: Employees lack awareness of the GDPR regulator at work
5.7 Hypothesis 6: Employees have seen little benefits to their company from GDPR
-
Discussion and 6.1 High consumer awareness and knowledge of the GDPR
6.2 Respondents lacked a formed opinion and 6.3 GDPR has driven changes
6.4 Perceptions of privacy have improved and 6.5 The profile of the regulator may not matter
-
Conclusion, Funding and Disclosure Statement, and References
3.3 Consumer perceptions of privacy
Side-stepping the privacy-paradox debate and whether privacy desires and privacy actions are consistent, we are interested in how people feel or perceive the state of their privacy post-GDPR. We find contradictory studies that claim it has had little impact, and others believe it has improved people’s feeling of privacy.
In ‘Are consumers concerned about privacy?’, conducted in the run-up to GDPR, Presthus and Sørum found the respondents had a favourable view of the GDPR, but they were sceptical about its enforcement 2019. In a follow-up, ‘A three-year study of the GDPR and the consumer’, they found that the GDPR has not significantly affected consumer awareness nor the level of control over their own personal data 2021.
There is some evidence that consumer perceptions of power and risk in digital information privacy have risen due to mandatory the GDPR cookie notices [8]. In a similar vein Zhang et al. 2020 suggest that the GDPR plays a significant role in online customer trust by bringing about stronger rights and more transparency for online customers.
A 2021 survey by the ICO [54] found that 77% of people say protecting their personal information is essential. The survey does not ask about privacy per se. Instead, it asked ‘Has your trust and confidence in companies and organisations storing and using your personal information increased, decreased or stayed the same in the past year?’, they found 9% felt it had increased, 68% felt it had stayed the same and 23% felt it had decreased compared to 2020. The answers in percentages were broadly the same as the 2020 survey results. Given the unique perspective of our sample, we believe that it is apposite to seek their evaluation of the effect of the GDPR on their privacy perceptions:
Hypothesis 3: Consumers feel their privacy is better since the GDPR was introduced.
3.4 Business response to Data Protection regulation
To comply with the GDPR, most companies will have had to make some legal, technical and organisational changes [37]. Failure to comply can attract hefty fines of up to 4% of global turnover [23] and negative publicity which in turn can affect a company’s market valuation if it is publicly quoted.
A systematic literature review [44] into the economic consequences of security incidents found that most studies (76%) report a statistically significant negative impact of data breach events on the stock market. Ford et al. 2021 found cumulative abnormal returns of around −1% after three days far outweighed the monetary value of the fine itself, and relatively minor fines could result in major market valuation losses for companies. The persistence of this effect is open to debate and Richardson, Smith and Watson argue that ‘companies are unlikely to change their investment patterns unless the cost of breaches increases dramatically or regulatory bodies enforce change’ 2019.
Buckley et al. 2022 found the fear of the GDPR’s threat of meaningful financial penalties has spurred companies to take the GDPR seriously. It has led to modernisation of company databases, more careful accounting of data, and greater awareness of information security. Cochrane et al. and Jasmontaite-Zaniewicz et al. 2020, 2021 surveyed SME Associations and found evidence to support Hijmans’ 2018 view that information and awareness of the imposition of fines was a regularly cited way of capturing the attention of SMEs.
Thus GDPR compliance, whatever the corporate motivation, should have been and continue to be a visible agenda item for employees in almost all company departments [29]. People in Finance and IT would be aware of the cost of additional IT information security expenditure and the potential size of fines. Staff in Human Resources and Customer Service would be aware of personal data handling requirements and subject access requests. Executives in Sales and Marketing would be aware of purpose limitations and the need to gain consent to promotional campaigns. We are interested in testing this commitment since public statements of investment and compliance are cheap. We conjecture:
Hypothesis 4: Companies have responded to GDPR and made changes.
Authors:
(1) Gerard Buckley, University College London, UK (gerard.buckley.18@ucl.ac.uk);
(2) Tristan Caulfield, University College London, UK (t.caulfield@ucl.ac.uk);
(3) Ingolf Becker, University College London, UK (i.becker@ucl.ac.uk).
This paper is
