The General Data Protection Regulation (GDPR) has now been enforceable for eight months, but has it started to have the impact the regulators and public wanted, in enhancing individuals' privacy?
In order to answer this insightful question, Deloitte conducted a survey across a sample of both consumers and organisations to investigate the attitudes towards privacy since GDPR became enforceable on the 25th May 2018.
The survey was run across eleven countries, both inside and outside the EU, to understand what impact GDPR has had on organisations and how consumer perceptions and behaviours have changed as a result.
Their findings indicate that consumer awareness has risen. 58% of respondents reported that they took more caution when providing organisations with their personal information than pre-GDPR, and organisations have invested to improve their compliance with 48% of organisations claiming to have made “significant” investment. The survey also magnified some interesting observations.
• Privacy is a global concern
• Trust is key
• Consumer centricity is not yet there
• Consumer action doesn’t follow perceptions
• Talent matters
Privacy is a global concern
A significant change under GDPR is its reach beyond the EU to place requirements on all organisations handling personal data on EU data subjects. This has clearly had an impact, with the results showing that there has been equal focus by organisations inside and outside the EU on the topic. Consumer perception is similar, with attitudes broadly aligning.
Trust is key
Individuals share data more openly with organisations they trust. They are also less likely to leave, challenge or exercise their rights against an organisation they trust if it has a breach. The ethical use of data, which can reside in the grey area between regulatory compliance and a higher standard, is seen as an increasingly important driver in this level of trust.
Consumer centricity is not yet there
Individuals’ level of trust is increased through being put in control of their data; however, most people do not feel that GDPR has done enough to increase the control they have over their data, and they still pay little attention to privacy notices. Programmes may have been too focused on internal compliance rather than taking a consumer-centric view.
Consumer action doesn’t follow perception
While the perception and importance of privacy is on the increase, consumer actions are still slow to follow suit. With the continued surge in personalisation and personal data being used in ever more complex ways, the increasingly tangible impact that the misuse of data can have at a consumer level is likely to drive a stronger reaction.
Most organisations have recruited or trained people to increase their capabilities to manage privacy compliance, but many still see challenges in headcount and capacity of these individuals. Continued effort is needed to address the talent shortage.
The survey indicates that GDPR is having the desired effect with a largely positive impact on consumer opinion in relation to personal data being collected and stored by organisations. The impact on an organisational level is mixed; most organisations report successful compliance with GDPR policy, but it’s important to note that some can’t see this being maintained with their current resourcing levels whilst others may already be contravening the regulation. Consumers continue to be more driven by the value and rewards they receive in exchange for sharing their personal data than the potential adverse impact it may have on them.
To view the complete report, please visit https://www2.deloitte.com/nl/nl/pages/risk/articles/gdpr-6-months-on-a-new-era-for-privacy.html