The ICO exists to empower you through information.

This section provides an overview of the findings about the processing activities of data controllers. It sets out the types of personal data held by organisations, identifies the purposes for which organisations process personal data and indicates how data controllers share personal data with third-party organisations.

What data is held by data controllers

Volume of personal data processed

The majority (81%) of data controllers processed personal data for fewer than 1,000 data subjects in the last 12 months. In fact, 48% of respondents reported processing personal data for fewer than 100 individuals in the last 12 months. The volume of personal data processed increases with organisation size. When filtering for organisation size, most sole traders (57%) reported processing the personal data for less than 100 data subjects. In comparison, when considering large organisations with more than 250 employees, more than two thirds (68%) reported processing personal data for more than 10,000 individuals.

Table 1: Volume of personal data processed by organisation size

Survey questions: B1. Approximately how many people does your organisation employ? D2. Approximately how many people does your organisation employ?

Volume of personal data processed

Total

Sole traders

Micro

Small

Medium

Large

Less than 100 48% 57% 24% 13% 4% 1%
100 to 999 33% 31% 40% 27% 13% 6%
1,000 to 9,999 11% 8% 17% 23% 19% 16%
More than 10,000 7% 2% 15% 35% 64% 68%
Don't know 2% 2% 3% 2% 0% 10%

Sensitive data

Certain data is categorised as ‘special category’ data due to its sensitive nature. This includes factors such as ethnic background, political, religious or philosophical beliefs, trade union membership, genetic, biometric or health data, and sexual orientation.

In our survey, 16% of organisations reported processing sensitive data. The majority (75%) of these organisations reported processing ‘special category’ data. Another 50% of organisations that reported processing sensitive data reported processing personal data for children and young people under 18 and 27% of organisations processing sensitive data also reported processing criminal convictions & offences data.

Number of employees responsible for compliance

Most organisations reported having a few full-time employees responsible for managing data protection compliance in the organisation over the past 12 months. Overall, 76% of organisations reported 0-1 employee responsible for managing data protection compliance and 19% reported between two and nine employees. Less than 5% of respondents reported that ten or more full-time employees had at least some responsibility for managing data protection compliance.

83% of organisations reported between zero and one part-time employee with responsibility for managing data protection compliance. Less than 2% reported having ten or more part-time employees with such a responsibility.

These results vary by organisation size, and the findings indicate that organisation size seems to be in the same band as the number of employees with at least some responsibility for data protection compliance, suggesting that organisations may believe that all employees are responsible for data compliance to at least some extent. For example, 48% of organisations with more than 250 employees reported that more than 250 full-time employees are at least partially responsible for managing data compliance. Similarly, 55% of organisations with 50 to 250 employees reported that 50 to 250 employees were responsible for their data protection compliance.

However, we note that we have identified discrepancies within this survey question. For example, we note that sole trader organisations reported that between two and nine employees are responsible for their data compliance. Whilst we are aware of these inconsistencies, we have maintained the organisations’ original responses. We will look to improve response consistency and identify whether there is justification for indicating a higher number of employees responsible for data protection compliance than the organisation’s number of employees in the next iteration of the survey, by cross-checking responses to this question with responses to organisation size or introducing confirmation prompt and requesting explanations where these numbers do not align.

How data is used by organisations

Purpose of processing

Organisations process personal data for a variety of reasons. 37% of organisations reported product and service analytics as the most observed purpose for processing personal data. For example, if an organisation sells goods online, it can process personal data such as the recipient's name, delivery address and payment card details in order to enter a contract with the individual and provide their core service. Customer analytics can also help organisations identify and meet demand for their products and services.

Some controllers may be under a statutory obligation to process personal data. This can include, for example, tax reporting, social and welfare reporting and regulatory reporting. 30% of respondents reported regulatory or statutory requirements and 21% respondents reported responding to requests from government authorities as key purposes for the processing of personal data.

Personal data can also help organisations tailor their marketing efforts and improve customer experiences, thereby increasing the effectiveness of their marketing strategies. 22% of respondents reported using personal data for direct marketing purposes.

Data controllers in action: why data controllers process data

Views from a non-profit theatre and arts venue

The theatre and arts venue collects personal data through their box office sales, collecting audience information such as name, address and email. Box office data is held for a year before being deleted, but customers can consent to the continued storage of their personal data if they opt-in to a mailing list.

The data controller at the venue spends 50-60% of their time on data issues related to keeping the data up to date and deleting old records.

Dependence of organisations on processing of personal data

The survey results highlight the importance of processing personal data for organisations to provide their goods or services. 52% of organisations reported that processing personal data is essential to the core functions of their business model and 49% reported that it is essential for supporting functions within the business. 13% of organisations reported that personal data processing is useful but not necessary for their business and 11% of organisations reported that processing personal data is not very important for any of the functions in the business.

Of organisations processing personal data for more than 10 million data subjects, organisations noted that the processing of personal data was essential to either their core (86%) or supporting (86%) functions within their business.

Acquiring personal data

Organisations can acquire, receive, and collect personal data through a variety of means. Most organisations in the survey (93%) acquired personal data directly from customers or the public. 24% of organisations reported acquiring personal data through other businesses or organisations, in the course of providing products or services and 13% of organisations reported acquiring personal data from publicly available databases. 10% of organisations reported acquiring personal data through cookies or similar online tracking technologies and 10% reported using data intermediaries, such as tech platforms or data brokers, to acquire and collect personal data. A small proportion of organisations also reported acquiring personal data through international sources (5%) and from public bodies such as government departments, HRMC, NHS etc (1%).

Storing personal data

75% of organisations reported holding personal data digitally. This increases with organisation size, with more than 90% of organisations with more than 50 employees reporting that data is being held digitally.

Data sharing

15% of organisations reported sharing personal data outside of their organisation. This was more pronounced for organisation processing higher volumes of personal data, with 29% of organisations processing data for more than 2 million data subjects reporting sharing personal data outside of their organisation.

Organisations sharing personal data outside of their organisations reported sharing the data with a variety of third parties, including other businesses or organisations (58%), public bodies such as government departments (50%), employees (34%) and customers or stakeholders (28%).

The most common recipients varied based on organisation characteristics. For example, 94% of organisations processing personal data for more than 2 million data subjects and sharing data outside of their own organisation reported sharing this data with employees. Similarly, public sector organisations sharing personal data outside of their own organisation most commonly reported sharing this data with other public bodies (77%).

8% of organisations surveyed reported sharing sensitive personal data outside of their organisation. Sensitive data was shared most commonly with employees (49%), public bodies such as government departments (44%) and other businesses or organisations (40%).

Overall, 7% of organisations reported sharing UK residents’ personal data internationally. Amongst this subset of organisations, the most common jurisdictions for data transfers were the EU and the United States with 56% and 23% of organisations sharing data internationally reporting these as a destination respectively.