1 Executive summary

1.1 Introduction

The Department for Science Innovation and Technology (DSIT) commissioned Ipsos to conduct qualitative research following the quantitative 2024 UK Business Data Survey. The purpose of the research was to explore in more detail attitudes and behaviours relating to the way potentially high-risk personal data processing is dealt with by businesses. Ten qualitative in-depth interviews were conducted with a range of UK businesses in February 2024.

1.2 Overarching findings

Personal data processing activities

Businesses that participated in the research tended to refer to their employee personal data processing activities as high risk. After being presented with information in the interview, some businesses realised that they might be undertaking high-risk data processing activities with cookies.

Although practices varied, businesses identified the importance of keeping personal information stored securely and limiting access. Businesses that collected customer data also talked about storage and ensuring data was anonymised where possible. Activities that were also mentioned frequently were sharing data, restricting access, and data destruction.

The extent to which businesses had a clear understanding of who was the data controller (who controls the purposes and means of the processing of personal data) and data processor (who acts on behalf of the data controller) when dealing with third parties varied. Larger (medium and large) businesses were generally able to discuss this more confidently.

Across the interviews, there was variation in how participants conceived of ‘high risk processing’ and ‘high risk data’.

Larger businesses also had specialist data protection teams and professionals who had responsibility for ensuring data processing procedures were in place and followed. In contrast to larger businesses, smaller (sole traders, micro and small) businesses lacked this specialist expertise, and their approaches to data processing activities were less formalised.

Existing guidance

Levels of awareness of existing guidance from the Information Commissioner’s Office (ICO) for potentially high-risk data processing activities varied. Businesses for which high-risk data processing activities were central to their operations were more familiar with the ICO guidance. However, businesses, irrespective of business size, tended to have some awareness and familiarity with ICO guidance.

This contrasted with the findings from the data protection strand of this research where there was less awareness of the ICO and some reliance on trade bodies and associations who provided guidance and support. This difference may result from the fact that the current strand focuses on businesses that might be carrying out high-risk data processing activities. In 2024, 58% of all businesses say they’ve heard of the ICO and know what it is (UKBDS 2024).

Artificial Intelligence, in particular, was an area of interest for businesses across all sectors and sizes. This was because of the opportunities it might offer, but also the risks entailed and high degree of uncertainty surrounding it.

Future guidance

Businesses generally wanted more guidance on Artificial Intelligence and data processing. They were also very clear in their requests for guidance that is clear, concise, and relevant. They felt that guidance should be tailored to their sector and type of business in terms of size and whether they were business to business, or business to consumer.

Several businesses reported that they would like information to be shared with them rather than having to proactively seek it. Participants from smaller businesses felt that it was important that DSIT and the ICO considered the pressures on small businesses and should be realistic in their expectations of smaller businesses.

This was due to competing demands and a lack expertise, resource and time smaller businesses often faced. Smaller businesses also felt that guidance materials should be designed with smaller businesses in mind.

2 Introduction

2.1 Research context

The 2024 UK Business Data Survey is a telephone and online quantitative study of UK businesses. It focused on the role of digital data in UK businesses, international transfers of data and activities for data protection compliance. The results of the quantitative study can be found here.

Following the quantitative 2024 UK Business Data Survey study the Department for Science Innovation and Technology (DSIT) commissioned Ipsos to conduct qualitative research. This was to explore some themes in more detail. Particularly those that are hard to cover quantitatively in the 2024 UK Business Data Survey.

The purpose of the research was to explore in more detail attitudes and behaviours relating to the way potentially high-risk personal data processing is dealt with.

2.2 Research aims

The aims of this research were to:

• understand businesses and the personal data processing activities that they undertook
• explore businesses’ understanding, views and experience of high-risk personal data processing activities
• explore businesses’ awareness, views, and experience of existing guidance
• explore businesses’ views towards future guidance needs related to high-risk personal data processing activities

2.3 Methodology

Ipsos conducted 10 qualitative in-depth interviews in February 2024 with UK businesses that had participated in the 2024 UK Business Data Survey. Research was conducted with a range of UK businesses to understand a variety of perspectives on data protection topics.

A recruitment screener was used to ensure eligibility for the research. A recruitment screener was also used to ensure a spread of business size, sector, turnover, location, and type of information handled. Refer to annex 1 to this report for a breakdown of subgroups interviewed.

A discussion guide was developed by the Ipsos and DSIT research teams. This was to ensure the relevance of all questions asked. The discussion guide used in interviews with businesses is included in annex 1 to this report.

Interviews with businesses lasted between 45 and 60 minutes and were conducted via Microsoft Teams or telephone. Ipsos provided a ‘thank you’ payment of £60 to businesses either in the form of a charity donation or shopping voucher, dependent upon the participant’s preference.

2.4 How to read this report

Please see the glossary and abbreviations section in annex 2 for full details of the terminology used in this report.

Direct quotes have been included in this report to illustrate and highlight key points and common themes. Where direct quotes are used, they have been anonymised and attributed with the business sector and size.

The size of the business sizes are defined as follows:

• sole trader
• micro: business with 1 to 9 employees
• small: business with 10 to 49 employees
• medium: business with 50 to 249 employees
• large: business with more than 250 employees

Please note that 2 or more different participants may have the same information in the attributions for their quotes.

2.5 Interpretation and generalisability of findings

The findings in this report are intended to provide insight into the behaviours, views, and experiences of a range of businesses. By design, the research set out to capture a rich and detailed understanding of different behaviours, views, and experiences. This research did not set out to determine the prevalence of these behaviours, views, and experiences.

Where the report indicates that ‘few’, ‘some’, or ‘many’ businesses experienced or felt something, this is in relation to the research participants only. Findings cannot be considered representative of the entire UK business population and should not be interpreted as generalisable to the entire business population.

3 Understanding businesses that participated and the personal data processing activities that they undertook

3.1 Participants from smaller businesses tended to lack a specialism in data protection, where those in larger businesses held specialist technical roles

In total, 4 smaller businesses participated in the research. Three businesses were of medium size with between 50 to 249 employees, and 3 were large businesses with 250 or more employees. Most of the businesses handled both personal employee data and digitised personal data, although one only dealt with digitised personal or non-personal employee data. Refer to annex 1 to this report for a breakdown of subgroups interviewed.

Participant role varied, but all held positions of responsibility for data in their business.

Participants from smaller businesses were owners or managing directors and had multiple roles within the business. They identified themselves as not being specialists in data protection and sometimes highlighted at the outset of the interview that they did not have technical knowledge. In contrast, participants from larger business were more likely to be in a specialist technical role, for example data protection managers or IT managers.

3.2 Businesses stored employee and customer data securely using restricted access, encryption, and password protection

Participants spontaneously mentioned a range of types of personal data processing their business undertook. Personal data was felt to be anything that could identify a person. Some tended to focus on personal employee data that their human resources (HR) department would hold. This included names, addresses, bank details, passport details, and next of kin details. In a few cases, participants also referenced customer data of a similar type.

Businesses undertook a range of personal data processing activities, depending on their size and sector. Larger businesses tended to use third parties to store this data. Types of personal data mentioned included names, addresses, next of kin details, national insurance numbers, passport details, and bank details.

Handling employee data was considered an essential part of all businesses that participated, as it linked to payroll and salary of employees. Several participants mentioned that this data was stored securely without being prompted, demonstrating an understanding of the importance of handling personal identifiable data safely.

These participants reported that they created file locations with restricted access on secure servers and used encryption and password protection to protect this data. A few businesses explained that they used third-party online tools for storing HR information such as Breathe HR.

Two of the larger organisations that participated processed large amounts of personal data. One was a large charity providing support for people with a range of vulnerabilities. The other was an educational trust which considered processing personal data to be central to its role. The educational trust stored, and on occasions shared, highly personal data relating to pupils and their families.

The participant from the educational trust spontaneously mentioned special category personal data and demonstrated a high level of awareness of the sensitivity of this information. They also demonstrated an understanding of the importance of having clear data processing procedures in place.

One larger business that operated across several countries highlighted challenges with data protection around managing data flows internationally. They explained that when data is crossing borders, it can be challenging to track the entire data journey.

3.3 Businesses used trusted third parties for personal data processing activities, but lacked knowledge about their processes

Businesses used third parties for personal data processing activities to varying degrees. Only one organisation, a charity, did not use any third parties for data processing purposes.

Third parties were used for a variety of activities. These activities included storing HR information, managing customer contact information, processing payments, and managing customer facing websites.

A few participants referred to having agreements in place that established who is the data processor and data controller. However, participants were not able to provide a lot of detail on their oversight of the data processing carried out by third parties beyond this.

A few businesses indicated that they trusted third parties to have the correct procedures in place, as data was central to their operations. One larger business highlighted that it could be difficult to keep track of all the data processing carried out by third parties.

4 Businesses’ understanding, views and experience of high-risk personal data processing activities

4.1 Large businesses understood data risk better than smaller businesses, and this was influenced by their structure and training

Attitudes to the level of risk associated with personal data processing activities varied, however, there were some common themes among the businesses that participated.

Larger businesses, and organisations that dealt with higher volumes of data or had specialist compliance teams generally had a clearer understanding of which activities constituted high-risk. They conducted regular audits and risk assessments which categorised levels of risk and assessed the extent to which procedures were being followed.

Larger businesses and organisations were also clear on who was responsible for these assessments, as they had data protection and compliance teams.

In contrast, smaller businesses were less likely to have formal processes in place to assess risk, and did not monitor the risk involved in their data processing.

Several participants mentioned that there was a risk of errors, or of policies and frameworks not being properly followed by employees. In particular, this was a risk within larger businesses and organisations where a higher number of staff were dealing with personal data processing activities.

Processing of highly sensitive data was also considered to carry more risk. This was because the consequences of a breach of this data was considered more serious for both individuals and the business.

For example, the two businesses that dealt with high volumes of special category data felt that their level of risk was high. In comparison, smaller businesses that held low volumes of personal data for human resources purposes believed that their level of risk was low.

Whether they had formal procedures or frameworks for assessing risk varied among businesses that participated. However, those that processed higher volumes of sensitive information, or had specialist Data Protection Officers, were more likely to have these in place.

Participant background and data protection training also impacted the extent to which procedures were in place. For example, the sole trader interviewed had a background in policing and had worked with risk analysis matrices in his previous role and applied this experience to his current business. In contrast, smaller businesses and those in the manufacturing sector seemed less mature in their risk assessment approaches.

4.2 Participants from key sectors had a good understanding of high-risk data processing

Businesses’ understanding of high-risk data processing was related to their sector and the extent to which their business dealt with high-risk data. Participants in some instances were unable to distinguish between handling high-risk data and high-risk data processing activities.

Those working in the charity and education sectors with vulnerable clients clearly understood definitions of high-risk data processing. These participants were also familiar with ICO guidance on high-risk data processing categories. They mentioned activities such as biometric processing for school dinners, processing special category data, and processing data on safeguarding through the Child Protection Online Monitoring Service.

Among businesses that participated, smaller businesses were generally less confident in their understanding of high-risk data processing activities. However, participants from smaller businesses who had undergone training tended to have more awareness.

4.3 Businesses trusted third parties to handle high-risk data processing, but lacked detailed insights into how this was done

A range of third parties were involved in the high-risk data processing activities undertaken by businesses. For businesses in the private sector, third parties included banks, contractors, Google Analytics, and website providers. However, participants did not have a thorough understanding of the details of the approach third parties took when handling high-risk data processing.

Businesses expected that third parties would have processes in place to deal with high-risk data processing, and it was evident that businesses placed a great deal of trust in them. This was because they expected that third parties handing large volumes of data would have the specialist knowledge and expertise required. A few participants mentioned that they had agreements in place with third parties, but they were unable to provide any further details.

5 Businesses’ awareness, views, and experience of existing guidance

5.1 GDPR triggered some businesses to review their data protection policies. Industry-specific guidance was preferred

Participants generally showed awareness of ICO guidance. This contrasted with the findings from the data protection strand of this research where there was less awareness of the ICO and some reliance on trade bodies and associations who provided guidance and support. A focus on participants from businesses in this strand of the research that might be doing high-risk data processing activities is likely to be a reason for this.

However, fewer participants in this strand of the research were specifically familiar with ICO guidance on data processing activities likely to result in high-risk.

Several participants suggested that the introduction of GDPR had triggered a review of data protection policies. They also suggested that they had consulted ICO guidance in detail at this time.

Participants also consulted information from the National Cyber Security Centre relating to cyber security. Information from the International Association of Privacy Professionals, and sector bodies such as the Association of British Insurers and the Recruitment and Employment Confederation was also consulted by participants.

One sole trader spoke highly of emails received from the Association of British Investigators because they were concise and included key information.

Similarly, a participant from a small business in recruitment spoke highly of their trade body’s regular newsletter. The participant explained that they expected any key guidance on data protection relevant to the industry to be included in their trade body’s newsletter.

The participant shared that they would not look to the ICO for guidance in the first instance. This was because they thought of the ICO as the organisation to contact in case of a breach.

Businesses for which high-risk data processing activities were central to their operations were more familiar with the ICO guidance. They were also generally more likely to consult ICO guidance regularly and have direct contact with ICO.

5.2 Businesses that participated mentioned several ways in which they had used ICO guidance

Businesses used ICO guidance to:

• develop data protection policies
• develop cookies policies
• respond appropriately to Subject Access Requests
• develop privacy notices

Participant views on the usability of the ICO guidance varied. Those who were more familiar with ICO guidance and who held specialist data protection roles, were generally positive.

In contrast, smaller businesses were less likely to have consulted ICO guidance in detail. This was because they had many competing priorities and were less likely to recognise that they were engaging in high-risk data processing activities.

Another source of guidance mentioned by a few businesses were more informal forums. This was based on their perception that they could ask questions freely without fear of consequences such as having their business’s data protection audited by the ICO.

Some smaller businesses reported feeling nervous of interacting directly with the ICO. This was based on their fear of being found to not be following the correct procedures, and the perception that their business could face consequences as a result.

ICO guidance around tracking and Artificial Intelligence as data processing activities likely to result in high-risk was of particular interest to participants. Reasons for this included a lack of knowledge and understanding of Artificial Intelligence as well as its increasing use. Concerns about the use of Artificial Intelligence was another reason.

Several businesses that used cookies on their website realised during the research interview that they might be undertaking high-risk data processing activities. This was because they had not considered keeping cookies to be a potential form of tracking until this was revealed to them in the course of the research.

Businesses generally commented on the rapid rate of technological change. Some felt that they were likely to make more of opportunities to merge and mine data with the help of Artificial Intelligence. However, they felt there was a lack of understanding of Artificial Intelligence and its opportunities and risks. As a result, they expressed a need for clear guidance on this.

6 Businesses’ views towards future guidance

The following themes emerged when businesses were asked about their future guidance needs:

• businesses wanted more guidance on the use of Artificial Intelligence due to its rapid advancement and increasing use
• businesses wanted guidance that is clear and concise for it to be as helpful and useful as possible
• businesses did not want generic guidance and instead expressed that it needed to be tailored to their sector, and size of business to be useful
• businesses wanted guidance to be sent to them, so that they do not need to search for it, and filter through different sources of information

One business compared the increased use of Artificial Intelligence in business to the introduction of GDPR in 2018. They felt that there was a lot of clear tailored guidance about the impact of GDPR and what businesses needed to do to be compliant. They expressed that a similar level of guidance was needed to help business navigate the increased role of Artificial Intelligence in business.

However, businesses were clear that generic guidance was not likely to be useful. Although they acknowledged it would be challenging to tailor guidance to their industry, they felt that tailoring was needed to make information useful and accessible.

Businesses suggested visual representations could be useful, for example flow charts, or filtered questions to help reduce the volume of information that a business needed to review.

Participants from smaller (sole traders, micro and small) businesses felt particularly strongly that they need digestible guidance designed with smaller business in mind. One small business spoke highly of the Cyber Essentials materials and thought the ICO could learn from these.

7 Conclusion

This research conducted on behalf of DSIT investigated business attitudes and behaviours relating to the way high-risk data is dealt with. The key conclusions are presented below:

• businesses referred to their personal data processing activities and emphasised the importance of secure storage and limiting access of sensitive data
• businesses reviewed data protection policies after the introduction of GDPR and consulted guidance from various sources such as the Information Commissioner’s Office (ICO) and sector associations and trade bodies
• larger (medium and large) businesses had a better understanding of data processor and data controller roles when dealing with third parties, and had dedicated data protection teams and professionals
• across the interviews there was variation in participant perception and understanding of ‘high risk processing’ and ‘high risk data’: some but not all participants talked about the data that was itself high risk, because of the potential harm that could be caused if misused; some but not all participants distinguished this with the risks posed by the way that data was processed (that is, stored, shared, analysed); and some but not all participants conceived ‘high risk data’ and ‘high risk data processing’ in terms of the riskiest processing that their business did, rather than as defined in law or in comparison with the processing done by other organisations
• businesses trusted third parties with potentially high-risk data processing but lacked detailed insights into third party processes
• smaller (sole traders, micro and small) businesses lacked specialist expertise and had less formalised approaches to data processing activities
• awareness of existing ICO guidance on high-risk data processing varied, irrespective of business size. This contrasted with the findings from the data protection strand of this research
• ICO guidance on tracking made some participants realise that they might be engaged in more high-risk data processing than they thought
• views on the usability of ICO guidance varied, with those in specialist data protection roles being more positive
• Artificial Intelligence was an area of interest for all businesses due to its rapid development, opportunities, risks, and uncertainty
• businesses wanted more guidance on Artificial Intelligence and data processing, tailored to their sector and business size
• businesses sought clear, concise, and digestible guidance specific to their sector and size
• smaller businesses wanted guidance shared with them proactively due to a lack of time to search for guidance
• smaller businesses felt that DSIT and the ICO should be realistic in their expectations from small businesses, and mindful of the pressures they face. These included limited resources and time to engage with guidance. Smaller businesses felt that guidance materials should be designed with the needs of smaller businesses in mind

Annex 1: Sample and topic guide

Participant sample

The final composition of the research sample is outlined below.

Ten qualitative in-depth interviews were conducted with UK businesses in February 2024. Interviews with businesses were conducted via Microsoft Teams or telephone and lasted between 45 to 60 minutes each.

Table 1 shows the type of information businesses handle:

Type of information business handles	Interviews completed
Both personal employee data and digitised personal data	9
Personal or non-personal digitised employee data	1

Table 2 shows business sector of participating businesses:

Business sector	Interviews completed
C: Manufacturing	2
G: Wholesale and retail trade; repair of motor vehicles and motorcycles	1
J: Information and communication	1
K: Financial and insurance activities	1
M: Professional, scientific and technical activities	2
N: Administrative and support service activities	1
P: Education	1
Q: Human health and social work activities	1

Table 3 shows business location participating businesses:

Business location	Interviews completed
England	6
Scotland	2
Wales	1
Northern Ireland	1

Table 4 shows business size of participating businesses:

Business size	Interviews completed
Zero – Sole trader	1
Micro (1 to 9 employees)	1
Small (10 to 49 employees)	2
Medium (50 to 249 employees)	3
Large (more than 250 employees)	3

Table 5 shows business turnover of participating businesses:

Business turnover	Interviews completed
£10,000 to 49,999	1
£50,000 to 99,999	1
£100,000 to 249,999	1
£250,000 to 499,999	1
£1million to £4,999,999	1
More than £10 million	5

Depth interview topic guide

Introduction 2 to 3 mins

Introduce yourself and Ipsos: My name is MODERATOR TO ADD NAME and I am a researcher working for Ipsos, an independent research organisation.

Explain research: The Department for Science, Innovation and Technology (DSIT) has commissioned Ipsos to carry out this study which involves talking with UK businesses to get a better understanding of their perception of data risks when processing personal data and how they handle data risks. Business practice and opinion around data use and data protection was covered in the 2023 UK Business Data Survey which you or someone in your organisation has responded to. This interview will provide an opportunity to discuss the issue in more detail.

The interview: The nature of the research is exploratory, and the discussion will be informal. There are no right or wrong answers.

Explain confidentiality: The contents of our discussion are completely confidential, and all findings are reported on anonymously. This means that no identifiable information will be shared with the Department for Science, Innovation and Technology or any other parties.

Explain payment for participation. You will receive £60 as either a shopping voucher or charity donation as a thank you for your time. (ONLY IF THEY ASK: Let participants know that it takes a maximum of 8 working days for them to receive the incentive.)

Explain voluntary participation: If you wish to end the discussion at any time, please let me know. Your participation in this research is voluntary.

Length of the interview: This discussion will last a maximum of 60 minutes.

Questions: Do you have any questions before we begin?

Consent to audio record: I would like to record our discussion as this helps with making notes and analysis? Recordings are used only for analysis purposes and are stored securely and deleted 6 months after the interview takes place.

MODERATOR TO TURN ON RECORDING

GDPR added consent (MODERATOR TO ASK ONCE RECORDER IS ON)

Ipsos’s legal basis for processing your data is your consent to take part in this research. Your participation is voluntary. You can withdraw your consent for your data to be used at any point before, during or after the interview and before data is anonymised at the end of June 2024.

Can I check that you are happy to proceed?

Business background. 3 to 5 minutes.

To start our discussion, I would like to spend a few minutes understanding your business in a bit more detail.

Firstly, please could you briefly describe your business?

• How long has the business been operating?
• What does the business do?
• How would you describe the size and structure of the business?

Could you briefly describe your role within the business?

• How long have you been working in this business?
• What are your responsibilities?

Personal data processing activities. 5 to 7 minutes.

I would now like to discuss personal data processing activities that your business undertakes.

OPEN BROAD QUESTION: What do you associate with personal data processing?

MODERATOR TO READ: Just to remind you, personal data is information that relates to an individual or can be linked back to an individual, and non-personal data is any other data.

• Is this something that’s important to your business? In what way?
• Is this important to you in your role? In what way?

OPEN BROAD QUESTION: Can you please briefly describe the personal data processing activities that your business undertakes?

Gauge spontaneous responses first and then probe with any of the following:

• Collecting, recording, or compiling data
• Storing, organising, or structuring data
• Adjusting, combining, or changing data
• Adjusting data – READ IF NECESSARY: This refers to adjusting or modifying data to fit a particular purpose or context making it line up correctly across different systems
• Combining data – READ IF NECESSARY: This refers to merging or integrating different data sets to create a more comprehensive or richer data resource
• Changing data – READ IF NECESSARY: This refers to changing or manipulating data
• Retrieval, reminding yourself of the details of the data or use of data
• Sharing data (disclosure by transmission, dissemination or otherwise making available)
• Restriction, erasure, or destruction of data

What are these data processing activities?

How important are these to your business? Why do you say this?

Which of these are most important? Why do you say this?

Who is responsible for these data processing activities?

OPEN BROAD QUESTION: What, if any, role do third-party partner organisations that you work with, or contractors play in the personal data processing activities that your business undertakes?

• Why do they play this role?
• Who, if anybody else, internally, or externally play a role in data processing activities? Why do they play this role?

High-risk personal data processing activities. 18 to 20 minutes.

To what extent, if any, do you think there is a level of risk attached to personal data processing activities?

• Why do you think this?
• How have you come to form this view?

How does your business assess the level of risk attached to the personal data processing activities it undertakes?

• Who is responsible for this assessment?
• How is this assessed?
• Who is responsible for making this assessment (if different from the individual ultimately responsible)?
• Which criteria are used?
• How, if in any way, would this differ based on your role as data controller or processor? Why?

OPEN BROAD QUESTION: What, is your understanding of high-risk personal data processing activities?

• How have you come to form this understanding?

OPEN BROAD QUESTION: Can you please briefly describe the high-risk personal data processing activities that your business undertakes?

Gauge spontaneous responses first and then probe with the following based on information provided in the respondent profile.

• What are these high-risk data processing activities?
• How important are these to your business? Why do you say this?
• Which of these are most important? Why do you say this?
• Who is responsible for these data processing activities?

OPEN BROAD QUESTION: Why are these considered to be high-risk data processing activities?

• Where in your opinion do high-risks lie? For example, what would your business do if you consider the risk to lie with a contractor, but you are the data controller?
• How, if in any way, would this differ based on your role as data controller / processor? Why?
• To what extent does your role as data controller / processor affect your assessment of risk?

OPEN BROAD QUESTION: In the 2023 UK Business Data Survey your business mentioned that it SEE RESPONDENT PROFILE AND INSERT APPLICABLE ACTIVITY(IES) (EXAMPLES PROVIDED BELOW).

• Acquires or collects personal data using cookies or similar technology placed on people’s digital or internet connected devices.
• Uses data for Artificial Intelligence or Automated Decision Making.
• Processes sensitive data such as personal data for under 18s, special category’ data such as data that are given additional protection under data protection laws (ethnic background, political, religious, or philosophical beliefs, trade union membership, genetic, biometric or health data, and sexual orientation) and criminal convictions and offences data.

How would you categorise the data processing of these activity(ies) as well as the other personal data processing activities that your business undertakes that you described a little while ago? For example, are they considered to be high-risk or low-risk?

How, if in any way, would this categorisation differ based on your role as data controller or processor? Why?

• Why have you categorised it in this way?
• What factors make this more or less risky?

OPEN BROAD QUESTION: What, if any, role do third-party partner organisations that you work with, or contractors play in the high-risk data processing activities that your business undertakes?

• Why do they play this role?
• How do they manage high-risks?
• Who, if anybody else, internally, or externally plays a role in data processing activities? Why do they play this role?
• How, if in any way, would this differ based on your role as data controller or processor? Why?

OPEN BROAD QUESTION: How, if at all, is your behaviour, processes, and systems for high-risk personal data processing activities different from the non-high-risk personal data processing activities that your business undertakes?

• Why / why not is there a difference?
• How have you made this distinction?

Existing guidance. 20 minutes.

I would now like to discuss existing guidance related to high-risk personal data processing activities.

OPEN BROAD QUESTION: What, if any, guidance are you aware of related to high-risk personal data processing activities?

• How aware of this are you?
• Where did you find out about this? For example, sector bodies, other businesses, external websites etc.
• What led to you finding this out?
• Who in the business makes use of this?
• Who in the business needs to understand it?

OPEN BROAD QUESTION AND IF AWARE OF GUIDANCE: How, if at all, have you used this guidance?

• Why have you chosen to use this guidance?
• IF AWARE OF GUIDANCE BUT CHOSEN NOT TO USE IT: Why have you chosen not to use this guidance?
• How would you describe your experience of using this guidance and why? For example, was it helpful or unhelp, useful or not useful?
• For which data?
• For which types of processing?

OPEN BROAD QUESTION: Are you aware of the Information Commissioner’s Office guide on data processing activities likely to result in high-risk?

• IF AWARE OF GUIDANCE: Where did you find out about this? For example, sector bodies, other businesses, external websites etc.
• IF AWARE OF GUIDANCE: What led to you finding this out?

OPEN BROAD QUESTION AND IF AWARE OF GUIDANCE: How, if at all, have you used this guidance?

MODERATOR NOTE: Refer to issues raised during the interview around high-risk data

• Why have you chosen to use this guidance?
• How would you describe your experience of using this guidance and why? For example, was it helpful or unhelp, useful or not useful?

MODERATOR OUTLINE AND TAILOR ACCORDING TO INTERVIEW MODE (Teams or Telephone): What I am showing to you now via share screen and read to you / read out is guidance the Information Commissioner’s Office considers likely to result in high-risk.

It is important for us to stress that this not current government guidance nor do we know that it will be in the future. Ipsos is also not here to provide any advice or guidance.

MODERATOR TO READ AND SHARE CREEN IF TEAMS OR READ ONLY IF TELEPHONE: Here is some of the guidance from the Information Commissioner’s Office on data processing likely to result in high-risk:

Innovative technology: processing involving the use of innovative technologies, or the novel application of existing technologies (including Artificial Intelligence). A Data Protection Impact Assessment is required where this processing is combined with any of the criteria from the European guidelines.

Denial of service: decisions about an individual’s access to a product, service, opportunity, or benefit that is based to any extent on automated decision-making (including profiling) or involves the processing of special category data.

Large-scale profiling: any profiling of individuals on a large scale.

Tracking: processing which involves tracking an individual’s geolocation or behaviour, including but not limited to the online environment. A Data Protection Impact Assessment is required where this processing is combined with any of the criteria from the European guidelines.

Targeting of children or other vulnerable individuals: the use of the personal data of children or other vulnerable individuals for marketing purposes, profiling, or other automated decision-making, or if you intend to offer online services directly to children.

OPEN BROAD QUESTION: What are your initial thoughts on the guidance the Information Commissioner’s Office considers likely to result in high-risk?

• Why do you say this?

OPEN BROAD QUESTION: Does anything from the guidance the Information Commissioner’s Office considers likely to result in high-risk stick out?

• Why do you say this?
• What, if any impact will this have on your business? Why? How?

MODERATOR NOTE: DIRECT PARTICIPANTS TO THE INFORMATION COMMISSIONER’S OFFICE WEBSITE IF THEY REQUEST FURTHER INFORMATION.

Future guidance. 5 minutes.

I would now like to discuss future guidance related to high-risk personal data processing activities.

OPEN BROAD QUESTION: What, if any, guidance would you like to see related to high-risk personal data processing activities?

• Why would you like to see this guidance?
• Who do you think should provide this guidance? Why?
• Where would you like this guidance to be provided?

OPEN BROAD QUESTION: What, if any, impact would this guidance related to high-risk personal data processing activities have on your business?

• Why would it have this impact?
• What, if any, benefits would this provide to your business?

OPEN BROAD QUESTION: To what, if any extent, would this guidance related to high-risk personal data processing activities have on your business in terms of assisting you with processing data that is likely to result to be high-risk?

• Why do you think this?

Wrap up. 2 minutes.

What is the key thing you would like to feed back to the Department for Science, Innovation and Technology about what we have discussed today?

Is there anything else you’d like to mention that we haven’t had a chance to discuss?

The Department for Science, Innovation and Technology may want to do some follow-up research on this subject in the future. Would you be happy to be contacted by DSIT / Ipsos for future research?

INCENTIVE: Thank participant and remind them of confidentiality. Explain that they can get in touch if they have any further comments or questions about the research.

Remind them of the £60 shopping voucher or charity donation thank you from Ipsos, as an appreciation for their time and contribution to the research. (ONLY IF THEY ASK: Let participants know that it takes a maximum of 8 working days for them to receive the incentive.) Direct participants to the Information Commissioner’s Office website if they request further information.

Annex 2: Glossary and abbreviations

This report uses terminology and abbreviations that are explained below.

Term	Definition
Artificial Intelligence (AI)	Artificial intelligence (AI) refers to computer systems capable of performing complex tasks that historically only a human could do, such as reasoning, making decisions, or solving problems.
Business to business	Business to business refers to commerce between two businesses rather than between a business and an individual consumer
Business to consumer	Business to consumer is a type of commerce where a business sells products or services to individual consumers.
Child Protection Online Monitoring Service (CPOMS)	The Child Protection Online Monitoring System (CPOMS) and is used by school for monitoring child protection, safeguarding and pastoral and welfare issues.
Cookies	Cookies are small text files that a website can place on people’s connected devices such as computers or mobile phones that accesses it. This is to uniquely identify a user to store information which can be used by a business to personalise the user’s experience.
Cyber Essentials	Cyber Essentials is a government backed certification scheme that helps protect businesses, whatever their size, against a range of the most common cyber-attacks. A self-assessment option gives businesses protection against a variety of the most common cyber-attacks.
Cyber Essentials Plus	In addition to the Cyber Essentials trademark, hands-on technical verification is carried out under Cyber Essentials Plus.
Data controller	Data controllers are the main decision-makers. They exercise overall control over the purposes and means of the processing of personal data. Data controllers shoulder the highest level of compliance responsibility.
Data processor	Data processors act on behalf of, and only on the instructions of, the relevant controller.
Data Protection Officer (DPO)	A Data Protection Officer (DPO) monitors and ensures compliance with UK GDPR and other data protection laws.
Department for Science, Innovation and Technology (DSIT)	The Department for Science, Innovation and Technology (DSIT) is responsible for helping to encourage, develop and manage the UK’s scientific, research, and technological outputs. DSIT is also responsible for managing the necessary physical and digital infrastructure and regulation to support the British economy, UK public services, national security, and wider UK Government priorities.
European Union (EU)	The EU countries are Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden.
Information Commissioner’s Office (ICO)	The Information Commissioner’s Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The ICO is an executive non-departmental public body, sponsored by the Department for Science, Innovation and Technology.
Large business	A business with more than 250 employees.
Larger businesses	This refers to medium and large businesses with more than 49 employees.
Medium business	A business with 50 to 249 employees.
Micro business	A business with 1 to 9 employees.
Privacy notice	A privacy notice is a document that outlines an organisation’s practices concerning the collection, use, and safeguarding of personal data. It serves as a transparent communication channel between the organisation and individuals whose data it processes.
Sole trader	A sole trader is a type of business. A sole trader involves one person who owns and operates the business.
Small business	A business with 10 to 49 employees.
Smaller businesses	This refers to sole traders, micro businesses, and small businesses with up to 49 employees.
Subject Access Request (SAR)	A Subject Access Request (SAR) is a request made by an individual to an organisation to access the personal data that the organisation holds about them. A SAR is a request made by or on behalf of an individual for the information which they are entitled to ask for under Article 15 of the UK GDPR.
UK Business Data Survey (UKBDS)	The UK Business Data Survey (UKBDS) is an official statistics publication that has been produced to the standards set out in the Code of Practice for Statistics. It helps the government understand the nature and importance of data use in industry, as well as its potential and realised economic impacts.
UK General Data Protection Regulation (GDPR)	UK General Data Protection Regulation (GDPR) is a law that sets guidelines for the collection and processing of personal information from individuals. UK GDPR came into effect in May 2018. Participants referred to UK GDPR as ‘GDPR’ in interviews and so throughout this report, ‘GDPR’ is used to mean UK GDPR.

Annex 3: Further information

The Department for Science, Innovation and Technology would like to thank the following people for their work in the development and carrying out of this research and for their work compiling this report:

• Amrita Sood, Ipsos
• Ruth Fitzell, Ipsos
• Shahil Parmer, Ipsos

This work was carried out in according with the requirements of the international quality standard for Market Research, ISO 20252.