I couldn't really summon up any interest in the "celebrations" for the one year anniversary of GDPR. Anyone working in this field knows that demand for data protection advice has not really diminished over the last twelve months, and in some respects the challenges are becoming more significant, as businesses and individuals move on from the basics and start grappling with more detailed issues for which there is still very little guidance. The fact that we are now more than a year past the implementation date has had very little bearing on that.
But some of the research commissioned and published to coincide with the anniversary is pretty interesting. That includes this survey, undertaken for the EU Commission, and tracking awareness and sentiment around data protection across the union.
The results will be encouraging for those who hope that GDPR will be an agent for serious, consumer-led change in the way in which businesses collect and process personal data. Levels of awareness of the core data subject rights are high with almost three quarters of respondents across the EU being aware of at least one of their rights (in most cases, the right to access personal data).
One of the particularly interesting things about this survey is that it provides an opportunity to contrast awareness and sentiment with the pre-GDPR position, because a similar survey was undertaken in 2015. Thus, we learn that awareness of the existence of public bodies responsible for protecting data subjects' rights has increased dramatically by 20 percentage points to nearly 60%.
But there are some more troubling trends. Of those (86% of respondents) who consider that they have only partial or no control over their personal data, 62% say that they are concerned about this. That represents a reduction in those concerned of 5% since 2015. Respondents are also less likely than they were in 2015 to read privacy policies, a reduction of 7% to 60%. 4% fewer respondents have tried to change the default settings on their social network accounts. These figures may be reflective of an increasing confidence in the regulatory regime which underpins the processing of personal data in the EU, but if that trend were to continue it would run the risk of turning into complacency.
For businesses concerned with controlling and processing personal data, these trends reflect what they have already probably experienced. Data subjects are more aware of their rights and have a higher expectation of clear and comprehensible information about what is going to be done with their data. With further public awareness campaigns planned by the ICO and other authorities across Europe, and with the prospect of more attention-grabbing headlines around enforcement in the coming months, data protection professionals look likely to be kept busy for quite a long time yet.
Based on the views of 27,000 Europeans, the Eurobarometer results show that 73% of respondents have heard of at least one of the six tested rights guaranteed by the General Data Protection Regulation. The highest levels of awareness among citizens are recorded for the right to access their own data (65%), the right to correct the data if they are wrong (61%), the right to object to receiving direct marketing (59%) and the right to have their own data deleted (57%). In addition, 67% of respondents know about the General Data Protection Regulation and 57% of respondents know about their national data protection authorities. The results also show that data protection is a concern, as 62% of respondents are concerned that they do not have complete control over the personal data provided online.