1 Executive summary

1.1 Introduction

The 2024 UK Business Data Survey (UKBDS) is a telephone and online quantitative study of UK businesses, focusing on the role of digital data in UK businesses, international data transfers, and data protection compliance. The findings from this quantitative survey are published here. This report details the findings from 80 qualitative interviews, which focused on a range of data protection topics in more depth.

1.2 Overarching findings

Business size and sector had a major impact on approach to complying with data protection laws

Of those that took part in the research, smaller (sole traders, micro and small) businesses typically had less internal knowledge and expertise in data protection, and lower levels of awareness of data protection issues. By contrast, larger (medium and large) businesses had more knowledge, resources and formal structures in place to deal with data protection.

Smaller businesses generally had a perception that not a lot had changed since the introduction of GDPR. Following data processing rules was largely perceived as part of compliance and a burden on smaller business, rather than bringing commercial benefits.

In contrast to smaller businesses, larger businesses often had specialist Data Protection Officers (DPOs) and compliance teams in place. These teams often included information security and data protection experts, and they occasionally outsourced specific tasks.

Businesses in sectors that handle large volumes of data or potentially sensitive data appeared to have better specialist knowledge. Those in the education, finance and legal sectors tended to have better processes in place for data protection. For example, having somewhat automated procedures to deal with Subject Access Requests. For some, being on top of data protection was seen as a central part of being professional.

Businesses were generally reactive in their approach to data protection, except for those in technical, legal, or financial sectors

Smaller businesses were generally not proactive about data protection. The reasons given by businesses for this were competing (and higher priority to them) demands on their time and the fact that decision-makers in smaller businesses need to wear many different ‘hats’. A lack of financial resources and dedicated staff as well as awareness on what to do were other reasons.

This was particularly the case in businesses that operated in sectors where the data they collected was limited, or not central to their business.

Drivers of greater engagement with data protection issues included data breaches, perceived reputational damage, business opportunities and received advice

There were examples of businesses of all sizes that had been prompted to implement changes following data breaches, either in their own business, or in a similar business. Businesses that felt vulnerable to cyber-attacks and perceived them as something that could do serious reputational damage invested in threat defence software and cyber security more proactively. In some cases, data protection was included in cyber security or IT packages.

Eligibility for large tenders was another stated driver to change. Businesses that had ISO certification felt that gaining this certification had a positive impact in its own right, and because it made the business eligible for tenders from larger businesses or government.

Accountants and lawyers were in some cases drivers of change. This is because they prompted some smaller businesses to implement data protection processes. Examples included processes for onboarding new clients and guidance on GDPR.

Smaller businesses tended to delegate responsibility for data protection to external providers, or rely on trade bodies, rather than on the Information Commissioner’s Office

Smaller businesses often used external providers to deal with data protection on their behalf, often as part of a broader package including legal services or IT. This was due to cost considerations and a lack of in-house expertise.

Outsourced providers also changed behaviours, through introducing data protection measures as part of their package. This could include data privacy notices, updated cookies policies, or implementing data storage and deletion processes. For example, a smaller business may outsource website management to a company that then put in place cookie policies, data privacy notices, and terms and conditions (T&Cs).

In contrast, larger businesses typically had dedicated in-house data protection specialists, sometimes alongside quality and compliance teams. These teams often included information security and data protection experts, and they occasionally outsourced specific tasks.

Trade bodies provided valuable data protection and cyber security information to smaller businesses and were usually trusted by them. They often provided guidance and templates through regular communications that was tailored to the sector. Examples included templates for data privacy notices, T&Cs, malware software and recommendations.

Awareness of the Information Commissioner’s Office (ICO) and its guidance was low across all business sizes. Smaller businesses in particular only perceived it as a regulatory body rather than a source of information and guidance.

Some smaller businesses were nervous about contacting the ICO for fear it would result in review of their processes. Among the few smaller businesses that had consulted ICO guidance, there tended to be strong perception it was not tailored to small businesses and the sector that they operated in.

2 Introduction

2.1 Research context

The 2024 UK Business Data Survey (UKBDS) is a telephone and online quantitative study of UK businesses commissioned by the Department for Science Innovation and Technology (DSIT). It focused on the role of digital data in UK businesses, international transfers of data and activities for data protection compliance. The results of the quantitative study can be found here.

Following the quantitative 2024 UKBDS study DSIT commissioned Ipsos to conduct follow-up qualitative research on themes that are hard to cover through a survey.

2.2 Research aims

The aims of this research were to:

• explore awareness and understanding of data protection law
• understand business activities carried out in response to data protection law
• explore benefits and costs of the current legal framework, including the views businesses have on data protection law and accompanying guidance

2.3 Methodology

Ipsos conducted 80 qualitative in-depth interviews between February and April 2024 with UK businesses.

Businesses that answered the UKBDS 2024 quantitative survey were asked to give their permission for re-contact on further research. 37% of businesses that took part agreed to be recontacted. This group formed the sampling frame for recruitment to this study.

A recruitment screener was used to ensure:

• eligibility for the research
• a spread of business size, sector, turnover, location
• that the business had taken actions related to UK data protection laws in the last 12 months

To guide the interviews, the Ipsos and DSIT research teams developed a discussion guide using a modular structure, so that businesses were only asked questions relevant to their experience. The discussion guide used in interviews with businesses is included in annex 1 to this report.

Interviews with businesses lasted between 45 and 60 minutes and were conducted via Microsoft Teams or telephone. Ipsos provided a ‘thank you’ payment of £60 to businesses either in the form of a charity donation or shopping voucher, dependent upon the participant’s preference.

Businesses that do not handle digitised data generally did not participate in the research due to sample selection. Table 1 provides an overview of the data protection topics covered in each business interview, allocated on the business’s responses to the 2024 UKBDS survey. In addition, 60 businesses were asked on their views in general about data protection issues.

Table 1 data protection topic covered in each business interview:

Data protection topic	Interviews completed
Responded to Subject Access Requests in the last 12 months to comply with UK data protection laws	8
Employed staff or outsourced to specialist staff to handle data protection requirements, either full time or as part of their role in the last 12 months to comply with UK data protection laws	8
Sought legal advice in the last 12 months to comply with UK data protection laws	7
Ran training and upskilling activities in the last 12 months to comply with UK data protection laws	11
Introduced new processes to implement data protection measures in the last 12 months to comply with UK data protection laws	10
Introduced opt-in consent mechanisms in the last 12 months to comply with UK data protection laws	7
Rewritten or updated Terms and Conditions (T&Cs) in the last 12 months to comply with UK data protection laws	8
Rewritten, updated or introduced a privacy notice in the last 12 months to comply with UK data protection laws	8
Updated cookie management and tracking technologies used by the business in the last 12 months to comply with UK data protection laws	6
Purchased specialist software for data protection in the last 12 months to comply with UK data protection laws	5
Other behaviour to comply with data protection law in the last 12 months	8
General views on data protection law	60

Note: Interviews completed do not add up to 80 because respondents were interviewed on multiple topics.

2.4 How to read this report

Please see the glossary and abbreviations section in annex 2 for full details of the terminology used in this report.

Direct quotes have been included in this report to illustrate and highlight key points and common themes. Where direct quotes are used, they have been anonymised and attributed with the business sector and size.

The size of the business sizes are defined as follows:

• sole trader
• micro: business with 1 to 9 employees
• small: business with 10 to 49 employees
• medium: business with 50 to 249 employees
• large: business with more than 250 employees

Please note that 2 or more different participants may have the same information in the attributions for their quotes.

2.5 Interpretation and generalisability of findings

The findings in this report are intended to provide insight into the behaviours, views, and experiences of a range of businesses. By design, the research set out to capture a rich and detailed understanding of different behaviours, views, and experiences. This research did not set out to determine the prevalence of these behaviours, views, and experiences.

Where the report indicates that ‘few’, ‘some’, or ‘many’ businesses experienced or felt something, this is in relation to the research participants only. Findings cannot be considered representative of the entire UK business population and should not be interpreted as generalisable to the entire business population.

3 Responded to Subject Access Requests in the last 12 months to comply with UK data protection laws

3.1 Awareness and understanding varied according to business size and sector

Awareness of SARs tended to be low among smaller businesses. When it came to dealing with them, they lacked knowledge of what data should be given when responding to them and feared making mistakes.

Beyond lack of knowledge, smaller businesses generally felt that they lacked the resources to deal with SARs. Some smaller businesses had been particularly concerned about SARs relating to non-digital data, which they thought would be particularly burdensome to respond to. Of those that participated, no smaller businesses showed awareness of the right to refuse to respond to a SAR.

By contrast, larger businesses tended to be more aware of SARs, and about the circumstances where they could refuse to respond to a SAR, although this had not been used much.

Businesses in sectors dealing with large amounts of personal data (education, health and legal sectors) tended to have more experience and understanding of SARs. Participants working in the education sector showed awareness of the right to refuse a SAR in certain circumstances and explained that they would consult legal teams if they were unsure.

3.2 How SARs were dealt with

Practices and processes businesses had in place for dealing with SARs varied depending on their past experiences of dealing with SARs, and the volume of requests they expected to receive. Business size and capacity to deal with requests also impacted on this, with smaller businesses typically not having much experience. For those smaller businesses that did, the volumes of SARs tended to be low (that is, less than 10 a year) and easy to respond to (that is, often just involved sending documents securely).

Larger businesses generally had more resources for dealing with SARs. They tended to outsource or had plans to outsource some parts of dealing with SARs for reasons of efficiency, cost-effectiveness, and not using - and as a result saving - internal staff resource.

Some larger businesses had formalised and automated procedures for logging SARs. For example:

• using online platforms such as Sentry or SureCloud for SARs management
• automated searching of emails and electronic documents

However, larger businesses tended not to have automated procedures for responding to SARs because they could be so varied. Redaction tended to be manual, although one business mentioned that they had used Adobe Acrobat’s redaction function which allowed them to redact private and confidential information before it was shared.

For some larger businesses, as with smaller businesses, the SAR process tended to be largely manual and time-consuming. Some larger businesses had internal staff who had responsibility for dealing with SARs and had processes in place for dealing with different types of SARs.

Among businesses that participated, SARs were generally more common in the education, health, and legal sectors, regardless of size. These businesses tended to receive multiple SARs from multiple individuals in any one year. Businesses in these sectors generally tended not to have automated processes for dealing with SARs.

Businesses in the education sector had examples of an individual SAR taking up to 2 months to process due to the large volumes of data educational institutions held on students. Some participants expressed a lack of clarity over confidentiality and who had the right to submit a SAR in complex cases. For example, parents of adult children with learning difficulties.

The volume of often text based, unsorted personal data held on a variety of different IT systems and platforms in educational settings generally meant that SARs took longer to respond to. Participants suggested 2 to 3 weeks was standard but there had been cases that had taken several months to respond to. The emails could be reviewed automatically but the process of redaction was manual.

3.3 Attitudes towards SARs were informed by views about individual citizen’s rights

Participants familiar with SARs were generally in favour of them from their own personal perspective as a citizen, rather than solely as a business.

Views on SARs tended to be informed by participants’ experiences as individuals interacting with businesses.

At the same time, participants also acknowledged that SARs can be time-consuming to process, and that they were likely to become more common. A few businesses shared that they had been concerned that SARs could be used by businesses or individuals.

A few businesses in the legal sector had questioned whether the criteria for raising a SAR should be made stricter. This was because they had the impression that SARs could be raised just to cause problems such as additional workload for a business. For example, from the other party in a dispute that we are advising on or a disgruntled client.

4 Employing staff and outsourcing to specialist staff in the last 12 months to comply with UK data protection laws

4.1 Approaches to employing staff and outsourcing among smaller businesses

Among businesses that participated, smaller business tended to outsource handling data protection requirements rather than employing specialist staff. Reasons for this included a lack of knowledgeable staff and resources for training as well as poor cost-effectiveness of handling data protection in-house. Some smaller businesses acknowledged the need for specialist staff on an ad hoc and temporary basis which is another why they outsourced.

Where smaller businesses outsourced data protection, it was generally as part of an IT package rather than to a specific individual. These packages frequently also included Human Resource (HR) systems, wider compliance, cyber security, and website management.

One micro business paid £120 a month to an IT supplier who managed their Microsoft 365 package, conducted annual audits, and put in processes to move from Cyber Essentials to Cyber Essentials Plus.

Smaller businesses invested considerably in outsourced professionals who they perceived as experts. For example, one micro charity paid £1,500 to an IT company to manage and run Cyber Essentials due to a lack of technical know-how.

Smaller businesses generally did not have specialist data protection knowledge, unless they worked in a financial or data-driven sector or had expertise from previous roles. Examples of expertise from previous roles included teachers, police officers, NHS professionals and financial services professionals.

Cost was a key driver in outsourcing among smaller businesses as they generally considered outsourcing to be far cheaper than training someone internally or hiring someone. An example of a cost was a Data Protection Officer (DPO) outsourced on a retainer fee for £83 a month. It was often difficult for small businesses to specify cost for data protection. This was because data protection was frequently part of a range of services from the same provider.

Smaller business sometimes sought external data protection services as a reaction to a cyber-attack. Several smaller businesses cited cyber-attacks as the prompt to outsource to IT specialists. For example, one micro recruitment business that faced daily cyber threats without in-house expertise outsourced to an IT company. The IT company ensured their IT systems and firewalls were secure, and data was stored and backed up securely.

Smaller businesses generally tended not to pro-actively put data protection procedures in place or keep up to date on changes in data protection. There was a perception among smaller businesses that there had not been much change since the introduction of GDPR.

4.2 Approaches to employing staff and outsourcing among larger businesses

Larger businesses that participated tended to have in-house data protection specialists and access to external expertise.

Larger businesses often had in-house accredited DPOs who had responsibility for ensuring data processing procedures were in place and the business was GDPR compliant. In some larger businesses, the DPO was also responsible for information security. For example, one large information and communication business estimated that they spent £40,000 per year on internal data protection staff.

Some larger businesses had quality and compliance teams that included information security and data protection specialists. Alongside technical IT and data protection specialists, larger businesses often had access to legal expertise.

Some larger businesses had a blended approach where they outsourced some data protection tasks to external contractors, for example, dealing with Subject Access Requests (SARs). For example, one further education college spent £30,000 per year on an external DPO who worked 2.5 days per week, working alongside an internal specialist on responding to SARs.

5 Seeking legal advice in the last 12 months to comply with UK data protection laws

5.1 Seeking legal advice among smaller businesses

Smaller businesses generally perceived seeking legal advice to be prohibitively expensive, so it was sought only where essential and on rare occasions. Seeking legal advice was costly for smaller businesses, and as data privacy was not a high priority, smaller businesses suggested they would only seek legal advice if it was critical. For example:

• following a cyber-attack
• those operating in a sector that collects large volumes of sensitive data.to ensure compliance if it were critical to winning a large contract
• to receive guidance when on-boarding new clients
• as a preventive measure, to ensure compliance if they were audited

Data privacy and processing was generally low down the list of priorities for smaller businesses, even if they had sought legal advice. Notably, smaller businesses often contacted their accountant or IT services for ‘specialist’ legal or regulatory advice.

5.2 Seeking legal advice among larger businesses

Larger businesses often had the resources to seek legal advice to ensure compliance with UK data protection law. Seeking legal advice was more common among these businesses and perceived as a standard procedure if required.

Larger businesses tended to have the resources to consult external specialist data protection lawyers for more complex issues. Some larger businesses felt that their contracts had complex clauses relating to data protection, and that external legal advice was sometimes needed to ensure compliance.

In addition to Data Protection Officers (DPOs), larger businesses often had in-house legal counsel who could advise on simple data protection queries. In-house legal counsel could also sign-post these businesses to external lawyers who were specialists in data protection if required.

6 Ran training and upskilling activities in the last 12 months to comply with UK data protection laws

6.1 Training for smaller businesses was often seen as necessity rather than best practice

Among the smaller businesses that participated, training was seen as an annual ‘box-ticking exercise’ and had been introduced after GDPR:

• training was done to meet minimum compliance standards rather than to embed best practice. This was because GDPR had often driven small businesses to review their practices and introduce new processes relating to the storage and data deletion
• audits and commercial interests such as ability to bid for and win new contracts had often driven some smaller businesses to review their practices and introduce new processes, including training
• training was introduced to ensure staff were aware of the key components of data protection and changes under GDPR

Training tended to be highly valued by participants who had overall responsibility, or some responsibility for data and or data policies in customer-facing businesses. For example, hospitality and personal care services where staff did not initially perceive themselves as handling sensitive data such as customer contact details until they had received training.

Training was valued because it had led to staff becoming aware of data protection laws and processes to comply with it. For example, how sensitive customer contact details should be handled and stored:

Data protection training was perceived as important for some smaller businesses for a variety of reasons:

• easy to become complacent without training and risk sharing information that would have breached data protection laws and caused reputational damage. Particularly relevant in the hospitality or retail sector where data was not perceived as a central part of the business and staff were interacting with customers face-to-face
• where it was common for staff to be involved in aspects of the businesses that were not part of their primary role that might have involved important aspects of data protection
• data protection training could have given a competitive advantage over other small businesses when trying to win new contracts
• data protection training was sometimes a requirement for bidding for government or public sector contracts

However, there was generally little investment in updating training materials or tailoring them to be specific to individual businesses. Training packages tended to be generic GDPR training packages provided by external training providers. Smaller businesses generally did not have the time or expertise to develop bespoke data processing training.

Several smaller businesses conducted internal annual training administered as a one-day workshop that all staff attended to ensure compliance with GDPR. For these smaller businesses, it was perceived as essential to ‘tick the boxes’, though the actual value of the training was less clear:

Some smaller businesses ran data protection training led by an experienced internal member of staff for new members of staff as well as on an ad-hoc basis. This type of training was also carried out on a project basis if it was a requirement to be eligible for a tender. Businesses that were customer facing generally perceived this type of training to be more important.

Some smaller businesses ran online webinars as a part of corporate professional development that all members of staff would be expected to attend and complete. This was conducted on an annual basis to ensure compliance with GDPR.

Sole traders and Directors of smaller companies, especially those in data rich sectors, sometimes attended external training courses. For example:

Training was a part of certification requirements as a few smaller businesses referenced training they had to do to become ISO 9001 or 27001 certified. This training was typically provided by an external provide and took place online.

Training acted as a force for improving data protection in some smaller businesses as it had made them realise that they needed to change. A few felt training had helped them to realise what they needed to change to ensure they were compliant and protecting the data they held on employees and customers. This was particularly the case among small businesses that were still partly paper-based or had only recently moved to digital work practices:

6.2 The role of trade bodies in helping smaller businesses

Trade bodies were often a trusted source of information that smaller businesses paid attention to:

• provide clear and concise information that was relevant to smaller businesses, making the information sector specific
• provide useful information relating to many of aspects of data protection, including training, data privacy notices, cyber security, and software packages Examples of sector bodies that provided useful information incorporated by some smaller businesses into training included:
• Association of Accounting Technicians issued reports and webinars on GDPR and data trends in the industry such as the move to cloud software
• Federation of Hairdressers provided a handbook on data protection which hairdressers could use for training and onboarding
• Financial Conduct Authority issued guidance on compliance that businesses have integrated into training materials

6.3 Larger businesses tended to invest in employee training

Among the businesses that participated, larger businesses tended to have invested in formal training packages and ongoing corporate professional development. Examples of larger businesses’ approach to training and upskilling activities were:

• medium business developed tailored training workshops for staff in specific roles who must have an in-depth understanding of data protection rules
• medium business in the finance sector conducted internal data protection training every 6 months, and in between conducts phishing tests to ensure employees were following guidance
• large business in the education sector ran annual online GDPR training provided by an external provider and had developed in-depth training for those in specialist data protection roles
• large business in the retail sector developed compulsory online training modules for all staff that needed to be completed each month to ensure all staff were familiar with their data protection obligations

7 Introduced new processes to implement data protection measures in the last 12 months to comply with UK data protection laws

7.1 Data breaches, digitisation, GDPR, trade bodies and certification regulators drove smaller businesses to introduce new processes

Among the smaller businesses that participated, GDPR, data breaches and digitisation of paper-based businesses were the main drivers for introducing new processes for data access and storage.

Trade bodies and certification regulators also drove small changes to processes such as the need for virus protection alongside the implementation of new measures. They were perceived as a source of trusted information and advice, pushing information to small businesses in an accessible email format. Examples included:

• Financial Conduct Authority requested the introduction of cyber security hardware and software
• Association for Accounting Technicians provided guidance on terms and conditions and privacy notices
• Scottish Health Board mandated the introduction of Cisco system and ethernet cables for the transfer of data
• ADISA and ISO certification required certain new measures such as ADISA certification requiring small information and communication business to implement a record of data processing activities

Some smaller businesses that were until recently still largely paper based, introduced processes such as encryption and two-factor authentication. This was as a part of introducing digital processes or moving from servers to the cloud.

7.2 Larger businesses introduced more significant processes

• Larger businesses that participated had generally introduced more significant processes, often reflecting the larger volumes of data that they handled. For example:
• a medium business, also in the information and communication sector, introduced Customer Relationship Management systems to transfer information internally as an alternative to email. This was done for reasons of business efficiency rather than data protection, although as a by-product, stronger data protection measures were now in place
• another medium business in the information and communication sector had introduced data retention policies to comply with UK data protection laws in the past 12 months at an upfront cost. Policies ensured compliance with the law as well as an expectation that there would be an eventual reduction in storage and related costs:

8 Opt-in measures, terms and conditions, and privacy notices

8.1 Changes to opt-in measures, T&Cs and privacy notices tended to be minor

Among the businesses that participated, reported changes to opt-in measures in the last 12 months tended to be quite minor, and were sometimes a by-product of changing to a more digital way of conducting business.

Similarly, changes to T&Cs and privacy notices were small. They tended to involve updating the language used or dates. Sometimes they clarified what data would be held or how a business used cookies.

However, there were a few examples of more substantial changes that required a larger time investment. For example, a sole trader working in financial services had invested significant time in rewriting their privacy notice so that it was clear and concise to encourage customers to engage with it.

8.2 A range of actors were responsible for introducing these changes

Changes to opt-in measures, privacy notices and T&Cs among smaller businesses were sometimes driven by third parties, and businesses had minimal engagement with the changes.

Several smaller businesses reported that their website manager had introduced an opt-in to ensure they were compliant with data protection rules. However, they were unaware of the details of the opt-in, and they were happy to let their website providers take responsibility for actioning this. They saw it as part of the service they were paying a monthly fee for.

In some cases, trade bodies such as the UK Self Storage Association provided ‘boiler plate’ templates which the businesses tailored, or they provided details of wording that needed to be updated.

The Law Society also provided law firms with e-mail bulletins reminding them to update their T&Cs with details on data protection. Other organisations that prompted businesses to update their T&Cs included:

• accountants
• Financial Conduct Authority
• Association of Photographers
• Royal Institute of British Architects
• Institute for Osteopathy

8.3 Impact and costs of introducing opt-in measures, T&Cs and privacy notices

Businesses of all sizes generally perceived changes to opt-in measures, T&Cs and privacy notices as having a low impact. In some cases, they improved the efficiency of business processes.

For example, one small publishing company had developed an Access database to store consent details. This meant that they had a more accurate record of who had consented, how they had provided consent, and what for. Having digital records of consent meant they were more easily searchable, and processes could be more efficient:

However, more generally, businesses felt that the changes to consent mechanisms, T&Cs and data privacy notices made minimal difference to their business or to their customers. They perceived these changes as examples of compliance check-box exercises, rather than substantive changes:

They were also sceptical about whether their customers read privacy notices or T&Cs and this scepticism was heavily informed by their own behaviour as customers. For a number of businesses, the only impact they noticed was that introducing opt-ins for newsletters had decreased the size of the distribution list.

However, some businesses reflected that they thought having transparent T&Cs meant that customers could be reassured and confident their data was being treated appropriately:

In terms of time and costs involved in updating opt-ins, T&Cs, and privacy notices, businesses were generally unable to provide a cost because it was too difficult to calculate. A few smaller businesses reported that updating terms and conditions took 1 to 2 hours, and for most this was not considered a burden.

However, updating terms and conditions for some businesses was more complex as it could involve liaising with external bodies and reviewing a longer legal document. One or two sole traders pointed out that while this might not sound like a lot of time, that this time could have been spent responding to an enquiry that would have resulted in a new piece of work.

Updating terms and conditions for some businesses was more complex as it could involve liaising with external bodies and reviewing a longer legal document. For example, a participant from a small law firm stated that senior partners were responsible for updating their terms and conditions and that this had cost around £2,000.

There was one notable exception to the perception that changes to opt-ins, T&Cs and privacy notices had minimal effect on the business:

• a games developer reported that introducing opt-in consent meant that their user numbers decreased. The business had invested significant time and costs into introducing the consent mechanism: it required engineering time to change the user interface, graphic design support, and coding to integrate the consent mechanism into the data flow

9 Updated cookie management or tracking technologies

9.1 Cookie management among businesses

Participants had very low awareness of what changes, if any, had been made to cookie management. They also felt they had very limited understanding of cookie technology and relied on technical professionals both inside and outside the business.

Responsibility for managing cookies was generally outsourced to IT providers and website managers among smaller businesses. In some businesses, cookie management was handled internally by digital marketing teams or the IT team.

Businesses that outsourced this had limited understanding of what changes had been made, but they thought changes were minimal. For example, a few businesses said changes were as simple as adding a line to terms and conditions to say that cookies were in use on the website or adding a cookie acceptance pop-up.

A number of smaller businesses commented that they did not use cookies for tracking and analytics; they described their websites as ‘shop windows’ that were very simple with details of the services the business provides and contact information. However, one sole trader who worked in graphic design felt more informed about cookies as they had personally updated the cookie policy on the website.

Only two larger businesses answered the section related to cookies in the qualitative research. They had updated their cookie banner to include a ‘reject all’ option. One of the participants said this change should have been implemented sooner but it had not been a priority. In November 2023, the ICO had issued a warning that it would start to implement fines if a ‘reject all’ option was not in place, and this prompted the business to implement this change.

9.2 What was the impact of making changes to cookies

Ensuring compliance was perceived as the main impact of making changes to cookies. However, some participants reflected that their lack of understanding of cookies also limited their ability to appreciate the impact of making changes.

Only one smaller business explained that their search engine ranking would drop if they did not keep their cookie management up to date.

10 Purchased specialist software for data protection

10.1 Type of software purchased

Threat detection software and spyware were often purchased by businesses of all sizes and across a range of sectors. This software had sometimes been purchased following a data breach, which had been a catalyst for investment.

For some businesses, software had been purchased to make processes more efficient, and had had data protection features built-in. The primary motivation for investing in it, however, had not been data protection. For example, a number of businesses had purchased case management software that had identification and verification checks built in.

10.2 Reasons businesses purchased specialist software

As discussed in previous sections, third parties exerted significant influence over businesses approach to data protection:

• decisions to put threat detection software in place were made by external and internal IT specialists, sometimes following a data breach
• in some cases, the decision to purchase a particular threat detection software was due to communications from trade bodies who were perceived as trustworthy and reputable

Another reason for investing in specialist software was to meet the eligibility criteria to tender for large government contracts.

Among smaller businesses, participants felt they did not have the time nor expertise to be looking into specialist software and they were reliant on external guidance. However, one sole trader who had conducted the research themselves said that they had spent about 18 hours researching various options.

10.3 Impact of purchasing software

All businesses who had specialist software were positive about it. They mentioned a range of benefits including:

• compliance with regulations
• ability to tender for government contracts
• improved response time to SARs
• more efficient processes
• increased confidence that their data was secure

10.4 Examples of businesses who proactively purchased software

Several businesses were more pro-active about purchasing software. These businesses tended to be those handling both personal employee data and digitised personal data and working in professional services sectors that were data heavy. These businesses were more familiar with data protection measures, and they perceived these as being integral to the work they do and how they are viewed by customers and clients.

Businesses that gained ISO certification tended to have purchased specialist software and this may have been necessary to get the certification. However, businesses that wanted this certification were also more likely to see being on top of data protection as commercially valuable, for example:

• a larger legal firm was trialling specialist AI software designing to deal with SARs. Their motivation for this was to see if there might be potential to sell it to clients who handle a large volume of SARs
• a small information and communication business that invested in threat defence software, at a cost of £3,500 a year, to minimise the risk of a cyber-attack. Sensitive data was at the core of their business and the participant felt that if they suffered a cyber-attack the reputational damage would be huge:

• a larger insurance business that had purchased an E5 licence on Office 365, at a cost of around £1,000 a month, which enabled the Data Protection Officer to respond faster to SARs and to monitor internal processes more closely to identify data breaches

11 Other behaviour to comply with data protection law

11.1 Examples of other behaviours to comply with data protection law

Overall, other behaviours to comply with data protection law were limited. They were sometimes driven by a business need to be more efficient or improve processes rather than data protection considerations. For example:

• a micro hairdressers explained that they had introduced a consent form to hold details on client’s previous treatments. They felt this would enable them to provide a better service and in the longer term to make their services more efficient

• a sole trader photocopying a client’s documents and hand-delivering them to a solicitor. They did this to reassure their client of the security of their personal data. This was a singular occurrence that would not be viable if it was frequent due to the time and travel costs involved
• Two micro businesses started using client portals to share documents rather than using email, as this was more secure. While not all clients used it, they liked having the option available to clients who are more security conscious
• large business in the Professional, Scientific and Technical activities sector had introduced daily cloud back-ups and weekly updates of cyber security software

12 General views on data protection law

12.1 Smaller business views on data protection law differed depending on sector

Among those that participated, smaller businesses in sectors where data was not perceived to be a critical part of business operations did not have a detailed knowledge of data protection law. Data protection was generally acknowledged as important. However, smaller businesses were often dealing with crises and time-critical demands which meant data protection slipped down their priority list.

Smaller businesses stressed the challenges of having limited financial and staff resources and increased burdens following EU-exit. There was often a disconnection between attitudes towards data protection law as citizens and as businesses. Participants broadly agreed with the trend towards protecting individual’s data but generally felt it was onerous on smaller businesses:

Smaller businesses were generally aware of major changes following GDPR but did not know of recent changes and did not consider themselves experts. They felt that there was a certain amount of ‘common sense’ required in applying data protection law. Smaller businesses often expected trade and sector bodies to promote and provide clear information on changes to the law if they were important.

However, some smaller businesses that participated were knowledgeable about data protection law, and these tended to be more conscientious about ensuring they had appropriate data protection processes in place. These smaller businesses were usually in sectors which handled large volumes of data, or where data was central to their business.

One micro business worked in compliance consultancy, and while anecdotal, their feedback was that they were alarmed by the lack of understanding of data protection law among their clients. They explained that many of the businesses they advised often did not consider employee data when thinking about data processing obligations.

Among these businesses there appeared to be relationship between knowledge and attitudes towards data protection law. This was because businesses with more knowledge were more conscientious and likely to take data protection seriously.

12.2 Awareness of the ICO was low among smaller businesses

There was generally low awareness of the Information Commissioner’s Office (ICO) among smaller businesses that participated. Their awareness was limited to knowing that the ICO is the body that deals with breaches of data protection law. Smaller businesses expressed reservations about contacting the ICO proactively for fear of being found to be non-compliant. Several thought the ICO should be responsible for sending updates.

The few smaller businesses that were aware of ICO guidance described the ICO website as text-heavy and that the detailed information made them feel anxious rather than more well-informed. Words used during interviews included ‘long-winded’ and ‘terrifying’.

There was perception among smaller businesses that participated that the ICO does not tailor advice or think about the needs of smaller businesses. Some were critical of what they perceived as a ‘one size fits all’ approach to data protection requirements, making these unfairly burdensome on smaller businesses.

Some smaller businesses were also critical that the only contact that they had with the ICO was paying an annual fee for a certificate. They were also critical as they felt that they did not receive proactive communications from the ICO:

Only one micro business was positive about the ICO information. This was a business that provided services to help financial services businesses be compliant with the Financial Conduct Authority and GDPR regulation.

They explained that the search tool on the ICO website is effective for those who are knowledgeable about data protection but is difficult to navigate for non-experts so would not be useful for businesses without an in-depth knowledge of data processing and protection. They explained that they often have to support their clients in navigating the ICO website to help them find the information they need.

There was generally a strong desire for better communications on data protection requirements for smaller businesses among those that participated. They desired clear, concise, easy to digest, bite-sized and sector specific relevant information. There was a strong message about how challenging it can be for small businesses to understand complex legislation, and that if unclear, guidance is very difficult to implement.

Several businesses suggested that information could be promoted via trade bodies, or directly via email from the ICO. However, smaller businesses were very clear that if it was not tailored, short, and accessible, they would not read it:

12.3 Larger business generally felt that they had good knowledge of data protection law but were not that familiar with the ICO

Larger businesses among those that participated generally felt that they had a good level of knowledge about data protection. They also tended to favour having strong data protection laws. They generally spoke positively about the strength of UK data protection law and felt that this was needed.

A few larger businesses felt positively about UK regulations compared with US regulation, which they perceived as not as robust. They felt that strong legislation sets the ‘moral tone’ for the way businesses treat customer and employee data. They raised concerns about the ease with which businesses in the US could profit from selling health data.

Several larger businesses explained that they felt data protection law would soon need to be strengthened further, particularly with the rapid development of Artificial Intelligence. A few larger businesses, however, explained that while they felt their knowledge of the law was strong, sometimes there were challenges getting senior management to take data protection as seriously as they should and to make the appropriate level of investment.

Larger businesses were generally not aware of recent changes to data protection law. They explained keeping up to date on changes was generally under the remit of their legal teams. This meant that they expected their lawyers to pass relevant information on to them.

Larger businesses were generally not very familiar with the ICO and those that were had mixed views on the ICO as a source of guidance. Some had heard of the ICO as regulatory body but not had no contact with it.

The larger businesses that had contacted the ICO for advice felt that its quality was variable and depended on who they spoke to. One larger business said that the chat function helpdesk had not helped them get quick answers to queries.

13 Conclusion

This research investigated the perspectives and experiences of UK business that had completed activities over the last 12 months to comply with UK data protection laws. This was to get a better understanding of the impact that responding to policy changes is having on businesses.

The key conclusions are presented below with business size and sector being key factors that drove business approach.

Awareness and proactivity

Levels of awareness and proactivity differed by business size among businesses that participated. The following key findings were identified among smaller (sole traders, micro and small) businesses:

• smaller businesses, particularly sole traders, and micro businesses, generally demonstrated low awareness of data protection requirements
• smaller businesses often perceived data processing rules as a compliance burden rather than a business opportunity
• a general lack of awareness among smaller businesses, coupled with limited resources, resulted in a reactive approach to data protection, driven primarily by digitisation efforts or specific incidents

In contrast, the following key findings were identified among larger (medium and large) businesses:

• larger businesses generally had higher levels of awareness and understanding of data processing responsibilities
• larger businesses often had formal data protection structures, processes, and dedicated personnel, such as Data Protection Officers (DPOs)
• however, even within these larger businesses, securing internal investment in data protection remained a challenge for some DPOs

Reliance on third-party expertise

There tended to be reliance on third-party expertise, particularly among smaller businesses:

• smaller businesses often relied on third-party providers for expertise and services related to data protection
• smaller business reliance often stemmed from outsourced IT services, which often included data protection measures
• while this reliance on third-parties offered a practical solution for some, it also meant that businesses were not always directly involved in ensuring data processing compliance
• trade bodies played an important role in providing trusted information and support to smaller businesses on data protection and cyber security
• trade bodies offered tailored guidance, templates, and recommendations, proving particularly valuable for resource-constrained smaller businesses

Drivers for change

Businesses tended to be reactive regardless of business size, but there were some sectoral differences:

• across all business sizes, a reactive approach to data protection was prevalent
• compliance obligations and data breaches, either experienced directly or observed in similar businesses, were key drivers for implementing changes
• businesses operating with limited data or those for whom data was not central to their operations were less proactive in their approach
• in contrast, businesses in data-rich sectors, such as technology, legal, and finance, tended to be more proactive, viewing robust data protection as integral to their professional standing

Impact of certification, resource constraints and communication preferences

Certification had an impact but limited time and resources were challenges:

• businesses that had obtained ISO certification reported a considerable positive impact on their data processing practices
• businesses with ISO certification perceived this certification as a competitive advantage, particularly when bidding for large tenders
• smaller businesses consistently emphasised their limited time and resources and highlighted the need for tailored, specific, and concise communications regarding data protection

Annex 1: Sample and topic guide

Participant sample

The final composition of the research sample is outlined below.

Eighty qualitative in-depth interviews were conducted with UK businesses between February and April 2024. Interviews covered a range of data protection topics based on the actions that businesses had taken to comply with UK data protection laws in the last 12 months. Interviews with businesses were conducted via Microsoft Teams or telephone and lasted between 45 to 60 minutes each.

Table 1 provides an overview of the data protection topics covered in each business interview. This was allocated depending on business response to the following 2024 UKBDS survey question: “has your business done any of the following in the last 12 months to comply with UK data protection laws?”

Table 1 data protection topic covered in each business interview:

Data protection topic	Interviews completed
Responded to Subject Access Requests in the last 12 months to comply with UK data protection laws	8
Employed staff or outsourced to specialist staff to handle data protection requirements, either full time or as part of their role in the last 12 months to comply with UK data protection laws	8
Sought legal advice in the last 12 months to comply with UK data protection laws	7
Ran training and upskilling activities in the last 12 months to comply with UK data protection laws	11
Introduced new processes to implement data protection measures in the last 12 months to comply with UK data protection laws	10
Introduced opt-in consent mechanisms in the last 12 months to comply with UK data protection laws	7
Rewritten or updated Terms and Conditions (T&Cs) in the last 12 months to comply with UK data protection laws	8
Rewritten, updated or introduced a privacy notice in the last 12 months to comply with UK data protection laws	8
Updated cookie management and tracking technologies used by the business in the last 12 months to comply with UK data protection laws	6
Purchased specialist software for data protection in the last 12 months to comply with UK data protection laws	5
Other behaviour to comply with data protection law in the last 12 months / general views on data protection law	8
General views on data protection law	60

Note: Interviews completed do not add up to 80 because respondents were interviewed on multiple topics.

Table 2 shows business sector of participating businesses:

Business sector	Interviews completed
C: Manufacturing	6
F: Construction	5
G: Wholesale and retail trade; repair of motor vehicles and motorcycles	3
H: Transportation and storage	1
I: Accommodation and food service activities	5
J: Information and communication	8
K: Financial and insurance activities	4
L: Real estate activities	4
M: Professional, scientific and technical activities	20
N: Administrative and support service activities	8
P: Education	6
Q: Human health and social work activities	7
R: Arts, entertainment and recreation	1
S: Other service activities	2

Table 3 shows business location participating businesses:

Business location	Interviews completed
England	67
Scotland	8
Wales	1
Northern Ireland	4

Table 4 shows business size of participating businesses:

Business size	Interviews completed
Zero – Sole trader	16
Micro (1 to 9 employees)	42
Small (10 to 49 employees)	9
Medium (50 to 249 employees)	5
Large (more than 250 employees)	8

Table 5 shows business turnover of participating businesses:

Business turnover	Interviews completed
Less than £9,999	2
£10,000 to 49,999	10
£50,000 to 99,999	6
£100,000 to 249,999	13
£250,000 to 499,999	14
£500,000 to 999,999	3
£1million to £4,999,999	12
£5million to £9,999,999	2
More than £10 million	12
Preferred not to say	6

Depth interview topic guide

Introduction 2 to 3 mins

Introduce yourself and Ipsos: My name is MODERATOR TO ADD NAME and I am a researcher working for Ipsos, an independent research organisation.

Explain research: The Department for Science, Innovation and Technology (DSIT) has commissioned Ipsos to carry out this study which involves talking with UK businesses to get a better understanding of their perception and understanding of data protection law. This topic was also covered in the 2023 UK Business Data Survey which you or someone in your organisation has responded to. This interview will provide an opportunity to discuss the issue in more detail.

The interview: The discussion will be informal. There are no right or wrong answers.

Explain confidentiality: The contents of our discussion are completely confidential, and all findings are reported on anonymously. This means that no identifiable information will be shared with the Department for Science, Innovation and Technology or any other parties.

Explain payment for participation. You will receive £60 as either a shopping voucher or charity donation as a thank you for your time. (ONLY IF THEY ASK: Let participants know that it takes a maximum of 8 working days for them to receive the incentive.)

Explain voluntary participation: If you wish to end the discussion at any time, please let me know. Your participation in this research is voluntary. Length of the interview: This discussion will last a maximum of 60 minutes.

Questions: Do you have any questions before we begin?

Consent to audio record: I would like to record our discussion as this helps with making notes and analysis? Recordings are used only for analysis purposes and are stored securely and deleted 12 months after the interview takes place.

MODERATOR TO TURN ON RECORDING

GDPR added consent (MODERATOR TO ASK ONCE RECORDER IS ON)

Ipsos’s legal basis for processing your data is your consent to take part in this research. Your participation is voluntary. You can withdraw your consent for your data to be used at any point before, during or after the interview and before data is anonymised at the end of June 2024.

Can I check that you are happy to proceed?

Business background – ASK ALL 3 to 5 mins

To start our discussion, I would like to spend a few minutes understanding your business in a bit more detail.

Firstly, please could you briefly describe your business?

• How long has the business been operating?
• What does the business do?
• How would you describe the size and structure of the business?

Could you briefly describe your role within the business?

• How long have you been working in this business?
• What are your responsibilities?

Subject Access Requests – MODULAR 18 to 20 mins

MODERATOR NOTE: CHECK COLUMN X IN THE RESPONDENT PROFILE AND ONLY ASK THESE QUESTIONS TO THOSE WHO RECEIVED SUBJECT ACESS REQUEST.

Prior to this interview taking place whilst we were checking your eligibility to participate in this research you confirmed that your business has received Subject Access Requests in the last 12 months. I would now like to discuss Subject Access Requests with you.

OPEN BROAD QUESTION: Can you please describe the process of responding to Subject Access Requests in your business?

• What is the nature of these processes? For example, are they largely automated? And if not, are there formalised processes? or informal / manual processes.
• [Thinking about the un-automated parts or the process] How have these processes been developed in your business?

What, if any, automated processes does your business have to respond to Subject Access Requests?

IF YES:

• Why do you have automated processes?
• Who set them up?
• What, if any, manual input do they require?

IF NO:

• Why has your business not chosen to have automated processes?

Who responds to Subject Access Requests in your business?

• Why do they have the role of responding?
• How much of their time is spent on this? Can you please estimate the number of hours per subject access request?
• IF NOT ALREADY MENTIONED: Does your business have dedicated staff for responding to Subject Access Requests? How much of their time is to do this?
• IF NO DEDICATED STAFF: How does this process work?
• Can you please tell me or estimate the typical time between a SAR coming in and a response going to the requestee in days?

How long does is it generally take to respond to Subject Access Requests?

• Is this is a completely manual, partially automated, or completely automated process?
• Why does it take this long?
• What is the longest time it has taken? Why did it take this long?

How would you categorise the number of Subject Access Requests your business receives in any one year?

• Less than one a year
• One Subject Access Request?
• Multiple Subject Access Requests from multiple individuals?
• Bulk Subject Access Requests? That is a company acting on behalf of lots of data subjects at a time.
• IF ONE SUBJECT ACCESS REQUEST:
• What was the data subject or person acting on their behalf wanting data on? MODERATOR NOTE: Try to find out if it was someone acting on their behalf
• Why was there a request?
• What was the motivation behind the request?
• How did your business respond? Who was involved?
• What, if any, follow up was there to the answer that your business provided?

IF MULTIPLE SUBJECT ACESS REQUESTS FROM MULTIPLE INDIVIDUALS:

• How many Subject Access Requests were submitted?
• Were they from the same individuals submitting them or were they all different?
• How, if at all, did they vary?
• Why were there requests?
• What was the motivation behind the request?
• How long did they take to respond to? How, if at all, did this vary?
• How did your business respond? Who was involved?
• What, if any, follow up was there to the answer that your business provided?

IF BULK SUBJECT ACCESS REQUESTS:

• Can you please tell me about the kinds of organisations that submit these groups of Subject Access Requests?
• How does your business handle them? For example, are all of them answered or rejected? Why?
• IF REJECTED: What reason did your organisation give when the Subject Access Request was rejected?

What, if any, instances have there been where Subject Access Request responses were thought to be unsatisfactory by those who submitted them?

IF THERE WERE INSTANCES:

• Why were they considered to be unsatisfactory?
• How did you respond to this?
• Did you feel comfortable with your rights to reject and or not reply to Subject Access Requests? Why / why not?
• Does your business have an internal arbitration arrangement for complaints about the outcome or response to a Subject Access Requests?
• IF YES: Can you tell me more about this? How often is it used?
• IF YES: Which, if any, were sent to the Information Commissioner’s Office for attribution? Why was this? How much additional resource was required for this?

OPEN BROAD QUESTION: What are your thoughts overall on Subject Access Requests?

• Why do you say this?
• What are the advantages and disadvantages of the current requirements around Subject Access Requests?
• What is the impact on your business of the current requirements?
• Which aspects of the requirements are more straightforward for your business to meet? Why?
• Have you noticed a change in the nature of SARs over the last 5 years? PROBE ON:
• Has their overall volume increased / decreased?
• Have they become more targeted or are they general? Are they about particular topics? If so, which ones?
• Do you know why this is the case?
• Which aspects of the requirements are less straightforward for your business to meet? Why?
• Is your business planning to change anything about how it deals with Subject Access Requests in the next year?
• Have you looked at the guidance on Subject Access Requests from the Information Commissioner’s Office? IF YES: What did you think of it? Was it helpful or unhelpful, useful or not useful? Why / why not?

Employing staff and outsourcing to specialist staff – MODULAR 7 to 10 mins

MODERATOR NOTE: CHECK COLUMN X IN THE RESPONDENT PROFILE AND ONLY ASK THESE QUESTIONS TO THOSE THAT EMPLOY STAFF OR OUTSOURCED TO SPECIALIST STAFF.

Prior to this interview taking place whilst we were checking your eligibility to participate in this research you confirmed that your business employed staff or outsourced to specialist staff to handle data protection requirements, either full time or as part of their role in the last 12 months to comply with UK data protection laws. I would now like to discuss this with you.

OPEN BROAD QUESTION: Can you please tell me about the in-house employed staff that your business has to handle data protection requirements, either full time or as part of their role?

• How many of these employed staff does your business have?
• What is the cost to your business of employing these staff?
• What type of employment are they in? For example, fulltime or part-time? Why?
• What is the cost to your business of employing these staff?
• What, if any, awareness do they have about data protection law generally?
• What, if any, training have they completed? Is this internal training such as on the job training or external training such as that which is covered in training packages?
• What types of activities do they do? PROMPT AFTER A SPONTANEOUS RESPONSE HAS EMERGED:
• Dealing with Subject Access Requests and managing any internal arbitration process
• Learning about GDPR and other data protection law / supporting the compliance or activities of others in the business / other internal legal advice
• Ensuring appropriate processes are in place for collecting, storing, analysing, sharing or any other type of processing as well as writing or advising on data protection impact assessments

OPEN BROAD QUESTION: Can you please tell me about the outsourced specialist staff that handle data protection requirements, either full time or as part of their role for your business?

• How many outsourced specialist staff does your business have?
• How long have they been working with your business?
• What type of employment are they in? For example, fulltime or part-time? Why?
• What, if any, awareness do they have about data protection law?
• What, if any, training do they have? Is this internal training such as on the job training or external training such as that which is covered in training packages?
• What types of the activities do they do? PROMPT AFTER A SPONTANEOUS RESPONSE HAS EMERGED:
• Dealing with Subject Access Requests and managing any internal arbitration process
• Learning about GDPR and other data protection law
• Ensuring appropriate processes are in place for collecting, storing, analysing, sharing or any other type of processing as well as writing or advising on data protection impact assessments
• What is the cost to your business of employing these staff?
• Why hasn’t your business brought these staff in-house?
• What, if anything, would need to change for the business to stop outsourcing to specialist staff? PROMPT AFTER A SPONTANEOUS RESPONSE HAS EMERGED: More experienced in-house staff?

ONLY THOSE THAT DO NOT EMPLOY IN-HOUSE SPECIALIST STAFF: Can you please tell me why your business has chosen to outsource the handling of data protection requirements to specialist staff?

• Who was involved in this decision?
• What are the advantages / disadvantages of managing data protection without in-house specialist staff?
• What, if any, difference would having in-house specialist staff make to your ability to manage data protection requirements?

ONLY THOSE THAT EMPLOY IN-HOUSE SPECIALIST STAFF: Can you please tell me why your business has chosen not to outsource the handling of data protection requirements to specialist staff?

• Who was involved in this decision?
• What are the advantages / disadvantages of outsourcing to specialist staff?
• What, if any, difference has having in-house specialist staff made to your ability to manage data protection requirements?

Sought legal advice – MODULAR 7 to10 mins

MODERATOR NOTE: CHECK COLUMN X IN THE RESPONDENT PROFILE AND ONLY ASK THESE QUESTIONS TO THOSE WHO SOUGHT LEGAL ADVICE.

Prior to this interview taking place whilst we were checking your eligibility to participate in this research you confirmed that your business sought legal advice in the last 12 months to comply with UK data protection laws. I would now like to discuss this with you.

Why did your business seek legal advice?

WAIT FOR SPONTANEOUS REASONS TO EMERGE AND THEN PROBE WITH:

• What were the main reasons you sought this advice?
• What sort of knowledge or skills were you hoping to benefit from?

OPEN BROAD QUESTION: Can you please tell me about the legal advice that your business sought in the last 12 months to comply with UK data protection laws?

MODERATOR NOTE: If the business has sought legal advice on multiple occasions, then focus on the most recent, or only the time that they needed the most support, or only the time that made the biggest difference to their business?

Has your business looked for generic advice on how data protection law operates, and/ or for specific legal advice on e.g. a particular contract, bit of data processing, or product like an online data processing?

• How did you go about identifying the right legal advice?
• What type of legal expertise did your business consult? For example, was it internal legal expertise, external legal expertise, generic resources, from the Information Commissioner’s Office? What drove the decision behind this?
• How easy or difficult was it to access this?
• What was the length and duration of the advice given?

OPEN BROAD QUESTION: What was your experience of seeking this legal advice?

• How helpful or unhelpful was this legal advice? Why?
• What impact did accessing this legal advice have on your business?
• What impact did this have on your ability to manage data protection requirements?
• ONLY FOR THOSE WHO SOUGHT LEGAL AFVICE EXTERNALLY: What are the advantages / disadvantages of hiring legal expertise?
• What would have been the impact if you had not done so?
• What, if any, cost such as financial cost was there for your business?

OPEN BROAD QUESTION: To what extent, if any, has seeking legal advice lead to increased understanding of data protection law within your business?

• In what way?
• What, if any, impact has this had on the likelihood that your business will need to seek legal advice in the future? Why?
• Do you think you will need to seek similar legal advice concerning data protection law in the future? Why / why not?

Run training and upskilling activities – MODULAR 7 to 10 mins

MODERATOR NOTE: CHECK COLUMN X IN THE RESPONDENT PROFILE AND ONLY ASK THESE QUESTIONS TO THOSE WHO RUN TRAINING FOR EXISTING STAFF.

Prior to this interview taking place whilst we were checking your eligibility to participate in this research you confirmed that your business ran training for existing staff in the last 12 months to comply with UK data protection laws. I would now like to discuss this with you.

OPEN BROAD QUESTION: Can you please tell me about the training that your business ran in the last 12 months to comply with UK data protection laws?

• Who was this training for? For example, was it for all members of staff?
• What type of training was this?
• What was the purpose of this training?
• Who developed and/or provided this training? For example, someone within the business or someone external to the business.
• What was the duration of this training?
• Was this the first time the training was run? How, if at all, is this training refreshed? How often? Why?

OPEN BROAD QUESTION: How useful was this training for your business?

To what extent did this training support your business to comply with data protection laws?

• Why do you say this?
• What, if any, impact did this have? Explore:
• On your business’s ability to manage data protection requirements?
• On your/attendees’ knowledge and skills?
• What have been the advantages and disadvantages of this training?
• In your view, what would have been the outcome if you had not undertaken this training?
• What do you think will be the longer-term impacts of this training?
• What are these?
• To what extent has the training:
• Helped to embed learning?
• Initiated wider change within your organisation?
• Increased knowledge?

What recent changes, if any, have there been to the training for those in specialist data protection roles within your business?

• Why were changes made recently?
• What, if any, impact did this have? Why?

What, if any, changes have there been to the training for general members of staff within your business?

Why were changes made?

What, if any, impact did this have? Why?

Introduced new processes to implement data protection measures – MODULAR 7 to 10 mins

MODERATOR NOTE: CHECK COLUMN X IN THE RESPONDENT PROFILE AND ONLY ASK THESE QUESTIONS TO THOSE THAT INTRODUCED NEW PROCESSES TO IMPLEMENT DATA PROTECTION MEASURES.

Prior to this interview taking place whilst we were checking your eligibility to participate in this research you confirmed that your business introduced new processes to implement data protection measures in the last 12 months to comply with UK data protection laws. For example, producing a record of data processing activities, implementing data retention policies, or cyber-security measures. I would now like to discuss this with you.

OPEN BROAD QUESTION: Can you please tell me about the new processes to implement data protection measures that your business has introduced in the last 12 months to comply with UK data protection laws?

• Which processes have been introduced? In what ways was data processed, and how does the new process change that?
• What were the reasons for introducing these?

What, if any, new processes did your business introduce for recording data processing activities?

• What types of data processing activities were happening (data collection, storing, analysis, selling, deleting)
• Why were the new processes introduced?
• What processes were in place for recording this kind of data processing activity before?

Which data processing activities are recorded? * Why are they recorded? * What, if any, tests do your business use to judge whether data processing needs recording? Why? * Where are records kept? * Who can access these records? * Can you tell me of any occasions where you have been audited or needed records? * What is the impact on your business of recording data processing activities?

What costs are involved? WAIT FOR SPONTANEOUS REASONS TO EMERGE AND THEN PROBE WITH: * Staff time * New IT or other infrastructure

Which other new polices has your business introduced? For example, data retention or cyber-security policies. For each: * Why were they introduced? * What, if any, impact did the changes have? Why? * What have been the advantages and disadvantages of introducing these? * What costs were involved? * What would have been the impact of not introducing these changes?

Introduced opt-in consent mechanisms – MODULAR 7 to 10 mins

MODERATOR NOTE: CHECK COLUMN X IN THE RESPONDENT PROFILE AND ONLY ASK THESE QUESTIONS TO THOSE THAT INTRODUCED OPT-IN CONSENT MECHANISMS.

Prior to this interview taking place whilst we were checking your eligibility to participate in this research you confirmed that in the last 12 months to comply with UK data protection laws your business had introduced opt-in mechanisms. I would now like to discuss this this with you.

OPEN BROAD QUESTION: Can you please tell me about your business introducing opt-in consent mechanisms in the last 12 months to comply with UK data protection laws?

• What were these changes?
• Why were these changes made?
• What was the impact of making this change?
• What, if any, resource was needed to make these changes?

OPEN BROAD QUESTION: What do you think of these changes now that they have been made?

• Are they fit for purpose? Why / why not?
• How, if at all, will these changes remain up to date? WAIT FOR SPONTANEOUS RESPONSES TO EMERGE FIRST AND THEN PROMPT WITH: For example, will they be reviewed as a matter of course or only in response to events such as law change or a change in data use.
• What, if any, impact have they had? Why?
• What were the advantages and disadvantages of this?
• What were the costs involved?
• What would have been the impact of not making this change?

Rewritten or updated terms and conditions – MODULAR 7 to 10 mins

MODERATOR NOTE: CHECK COLUMN X IN THE RESPONDENT PROFILE AND ONLY ASK THESE QUESTIONS TO THOSE THAT HAD REWRITTEN OR UPDATED TERMS AND CONDITIONS.

Prior to this interview taking place whilst we were checking your eligibility to participate in this research you confirmed that in the last 12 months to comply with UK data protection laws your business had rewritten or updated terms and conditions. I would now like to discuss this with you.

OPEN BROAD QUESTION: Can you please tell me about your business rewriting or updating terms and conditions in the last 12 months to comply with UK data protection laws?

• What were these changes?
• Why were these changes made?
• What was the impact of making this change?
• What, if any, resource was needed to make these changes?

OPEN BROAD QUESTION: What do you think of these changes now that they have been made?

Are they fit for purpose? Why / why not?

How, if at all, will these changes remain up to date? WAIT FOR SPONTANEOUS RESPONSES TO EMERGE FIRST AND THEN PROMPT WITH: For example, will they be reviewed as a matter of course or only in response to events such as law change or a change in data use.

• What, if any, impact have they had? Why?
• What were the advantages and disadvantages of this?
• What were the costs involved?
• What would have been the impact of not making this change?

Rewritten, updated or introduced a privacy notice – MODULAR 7 to 10 mins

MODERATOR NOTE: CHECK COLUMN X IN THE RESPONDENT PROFILE AND ONLY ASK THESE QUESTIONS TO THOSE THAT HAD REWRITTEN, UPDATED OR INTRODUCED A PRIVACY NOTICE.

Prior to this interview taking place whilst we were checking your eligibility to participate in this research you confirmed that in the last 12 months to comply with UK data protection laws your business had rewritten, updated or introduced a privacy notice. I would now like to discuss this this with you.

OPEN BROAD QUESTION: Can you please tell me about your business rewriting, updating, or introducing a privacy notice in the last 12 months to comply with UK data protection laws?

• What were these changes?
• Why were these changes made?
• What was the impact of making this change?
• What, if any, resource was needed to make these changes?

OPEN BROAD QUESTION: What do you think of these changes now that they have been made?

• Are they fit for purpose? Why / why not?
• How, if at all, will these changes remain up to date? WAIT FOR SPONTANEOUS RESPONSES TO EMERGE FIRST AND THEN PROMPT WITH: For example, will they be reviewed as a matter of course or only in response to events such as law change or a change in data use.
• What, if any, impact have they had? Why?
• What were the advantages and disadvantages of this?
• What were the costs involved?
• What would have been the impact of not making this change?

Updated how you manage cookies and tracking technologies used by your business – MODULAR 7 to 10 mins

MODERATOR NOTE: CHECK COLUMN X IN THE RESPONDENT PROFILE AND ONLY ASK THESE QUESTIONS TO THOSE THAT UPDATED HOW THEY MANAGE COOKIES AND TRACKING TECHNOLOGIES.

Prior to this interview taking place whilst we were checking your eligibility to participate in this research you confirmed that in the last 12 months to comply with UK data protection laws your business had updated how you manage cookies and tracking technologies used by your business. I would now like to discuss this this with you.

OPEN BROAD QUESTION: Can you please tell me about your business updating how you manage cookies and tracking technologies in the last 12 months to comply with UK data protection laws?

• What were these changes?
• Why were these changes made?
• What was the impact of making this change?
• What, if any, resource was needed to make these changes?

OPEN BROAD QUESTION: What do you think of these changes now that they have been made? * Are they fit for purpose? Why / why not? * How, if at all, will these changes remain up to date? WAIT FOR SPONTANEOUS RESPONSES TO EMERGE FIRST AND THEN PROMPT WITH: For example, will they be reviewed as a matter of course or only in response to events such as law change or a change in data use. * What, if any, impact have they had? Why? * What were the advantages and disadvantages of this? * What were the costs involved? * What would have been the impact of not making this change?

Purchased specialist software for data protection – MODULAR 7 to 10 mins

MODERATOR NOTE: CHECK COLUMN X IN THE RESPONDENT PROFILE AND ONLY ASK THESE QUESTIONS TO THOSE THAT PURCHASED SPECIALIST SOFTWARE FOR DATA PROTECTION.

Prior to this interview taking place whilst we were checking your eligibility to participate in this research you confirmed that your business purchased specialist software for data protection in the last 12 months to comply with UK data protection laws. I would now like to discuss this with you.

OPEN BROAD QUESTION: Can you please tell me about the specialist software for data protection that your business purchased in the last 12 months to comply with UK data protection laws?

MODERATOR NOTE: IF MULTIPLE NEW TYPES OF SOFTWARE / HARDWARE ARE MENTIONED, GO THROUGH THESE QUESTIONS FOR EACH. IF MORE THAN TWO, TALK ABOUT THE TWO MOST EXPENSIVE.

What was purchased? WAIT FOR SPONTANEOUS RESPONSES TO EMERGE FIRST AND THEN PROMPT WITH: For example: * Servers for data storage in the UK, European Union or somewhere else * Software changes such as buying or developing a case management system, or some kind of automated Subject Access Request response system * Case management system * Any other hardware or software? * What, if any, business need did buying this software serve?

At what, if any, cost did this come for the business? WAIT FOR SPONTANEOUS RESPONSES TO EMERGE FIRST AND THEN PROMPT WITH:

• The immediate financial cost of buying software / hardware
• Staff time researching which software / hardware to buy as well as familiarising themselves with it
• Any training costs for staff

What, if any, impact has purchasing this specialist software / hardware for data protection had on your business?

• Why has it had this impact?
• What were the advantages and disadvantages of this?
• What would have been the impact of not making this change?

Other behaviour done to comply with UK data protection law – MODULAR 7 to 10 mins

MODERATOR NOTE: CHECK COLUMN X IN THE RESPONDENT PROFILE AND ONLY ASK THESE QUESTIONS TO THOSE THAT DID OTHER.

Prior to this interview taking place whilst we were checking eligibility to participate in this research you told us that your business did MODERATOR TO INSERT to comply with UK data protection laws. I would now like to discuss this with you.

OPEN BROAD QUESTION: Can you please tell me about MODERATOR TO INSERT that your business introduced/ did to comply with UK data protection laws?

• Why was this activity introduced?

OPEN BROAD QUESTION: Can you please tell me about your experience of introducing this?

• How was it introduced?
• What was your experience of introducing this?
• What, if any, challenges did your business encounter when introducing this?

OPEN BROAD QUESTION: Can you please tell me about the impact of introducing this?

• Why do you think this?
• Was this helpful or unhelpful? Why?
• What, if any, impact have they had? Why?
• What were the advantages and disadvantages of this?
• What were the costs involved?
• What would have been the impact of not making this change?

General views on data protection law – MODULAR 7 to 10 mins

OPEN BROAD QUESTION: How would you describe your overall understanding of data protection law?

• Why have you described your understanding in this way?

Do you feel other businesses of your size, in your sector understand data protection law well?

• Why do you feel this way?

OPEN BROAD QUESTION: What are your thoughts on current data protection laws?

• Why do you think this?
• Do you think they are strong enough, too strong or require further strengthening? Why? / Why not?
• Which aspects work well / less well?
• What would be the impact for your business of any strengthening of data protection laws?

What are your thoughts on current data protection laws giving citizens rights such as finding out about data a business holds on them, for example through Subject Access Requests?

• Why do you think this?
• Do you think they are strong enough, or do they require further strengthening? Why? / Why not?

What are your thoughts on the rights current data protection laws give to businesses such as rights about processing data for legitimate requests? * Why do you think this? * Do you think they are strong enough, or do they require further strengthening? Why? / Why not?

Are you aware of any recent changes to the data protection law?

• What are these changes?
• How did you find out about these changes?
• What do you think about these changes? Why?

Are you familiar with any new guidance that has been provided to help comply with data protection law?

• What was this guidance?
• How did you find out about this guidance?
• What, if any, thoughts do you have on this guidance?

Can you share your general views or impressions about data protection laws beyond its specific costs or benefits?

• Why do you think this?

Are you aware of the Information Commissioner’s Office and their role in regulating and enforcing data protection legislation in the UK?

IF YES:

• How aware of this are you?
• What led to you finding this out?
• How familiar, if at all, are you with the resources and services they provide? PROBE WITH THE FOLLOWING AFTER SPONTAENOUS RESPONSE HAVE EMERGED: Innovation advice, business advice services, regulatory sandboxes etc.

IF THEY ARE FAMILIAR:

• How, if at all, have you used these resources?
• What was your experience of using these resources? For example, was it helpful or unhelpful, useful, or not useful? Why / why not?

Wrap up – ASK ALL 2 mins

What is the key thing you would like to feed back to the Department for Science, Innovation and Technology about what we have discussed today?

Is there anything else you’d like to mention that we haven’t had a chance to discuss? The Department for Science, Innovation and Technology may want to do some follow-up research on this subject in the future. Would you be happy to be contacted by DSIT / Ipsos for future research?

INCENTIVE: Thank participant and remind them of confidentiality. Explain that they can get in touch if they have any further comments or questions about the research. Remind them of the £60 shopping voucher or charity donation thank you from Ipsos, as an appreciation for their time and contribution to the research. (ONLY IF THEY ASK: Let participants know that it takes a maximum of 8 working days for them to receive the incentive.)

Annex 2: Glossary and abbreviations

This report uses terminology and abbreviations that are explained below.

Term	Definition
Artificial Intelligence (AI)	Artificial intelligence (AI) refers to computer systems capable of performing complex tasks that historically only a human could do, such as reasoning, making decisions, or solving problems.
Cloud	The cloud refers to servers that are accessed over the Internet, and the software and databases that run on those servers. Cloud servers are in data centres all over the world. By using cloud computing, users and businesses do not have to manage physical servers themselves or run software applications on their own machines.
Cookies	Cookies are small text files that a website can place on people’s connected devices such as computers or mobile phones that accesses it. This is to uniquely identify a user to store information which can be used by a business to personalise the user’s experience.
Cyber Essentials	Cyber Essentials is a government backed certification scheme that helps protect businesses, whatever their size, against a range of the most common cyber-attacks. A self-assessment option gives businesses protection against a variety of the most common cyber-attacks.
Cyber Essentials Plus	In addition to the Cyber Essentials trademark, hands-on technical verification is carried out under Cyber Essentials Plus.
Data Protection Officer (DPO)	A Data Protection Officer (DPO) monitors and ensures compliance with UK GDPR and other data protection laws.
Department for Science, Innovation and Technology (DSIT)	The Department for Science, Innovation and Technology (DSIT) is responsible for helping to encourage, develop and manage the UK’s scientific, research, and technological outputs. DSIT is also responsible for managing the necessary physical and digital infrastructure and regulation to support the British economy, UK public services, national security, and wider UK Government priorities.
European Union (EU)	The EU countries are Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden.
Information Commissioner’s Office (ICO)	The Information Commissioner’s Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The ICO is an executive non-departmental public body, sponsored by the Department for Science, Innovation and Technology.
Large business	A business with more than 250 employees.
Larger businesses	This refers to medium and large businesses with more than 49 employees.
Medium business	A business with 50 to 249 employees.
Micro business	A business with 1 to 9 employees.
Privacy notice	A privacy notice is a document that outlines an organisation’s practices concerning the collection, use, and safeguarding of personal data. It serves as a transparent communication channel between the organisation and individuals whose data it processes.
Sole trader	A sole trader is a type of business. A sole trader involves one person who owns and operates the business.
Small business	A business with 10 to 49 employees.
Smaller businesses	This refers to sole traders, micro businesses, and small businesses with up to 49 employees.
Subject Access Request (SAR)	A Subject Access Request (SAR) is a request made by an individual to an organisation to access the personal data that the organisation holds about them. A SAR is a request made by or on behalf of an individual for the information which they are entitled to ask for under Article 15 of the UK GDPR.
Terms and Conditions (T&Cs)	Terms and Conditions (T&Cs) constitute a legal agreement between a business and its customers. It sets out what customers can expect from a business, as well as what the business expects from its customers.
Two-factor authentication	Two-factor authentication (2FA), or multi-factor authentication (MFA) is an electronic authentication method in which a user is granted access to a network or application only after successfully presenting two or more pieces of evidence to an authentication mechanism (for example, a password and a one-time passcode).
UK Business Data Survey (UKBDS)	The UK Business Data Survey (UKBDS) is an official statistics publication that has been produced to the standards set out in the Code of Practice for Statistics. It helps the government understand the nature and importance of data use in industry, as well as its potential and realised economic impacts.
UK General Data Protection Regulation (GDPR)	UK General Data Protection Regulation (GDPR) is a law that sets guidelines for the collection and processing of personal information from individuals. UK GDPR came into effect in May 2018. Participants referred to UK GDPR as ‘GDPR’ in interviews and so throughout this report, ‘GDPR’ is used to mean UK GDPR.

Annex 3: Further information

The Department for Science, Innovation and Technology would like to thank the following people for their work in the development and carrying out of this research and for their work compiling this report:

• Amrita Sood, Ipsos
• Ruth Fitzell, Ipsos
• Shahil Parmer, Ipsos

This work was carried out in according with the requirements of the international quality standard for Market Research, ISO 20252.