In addition to the quantitative Data Controllers Study survey, IFF conducted 20 follow-up interviews with data controllers in order to provide more context and to delve into some of the findings of the survey. The interviews were held between 29 November 2023 and 2 February 2024.
The main themes of the responses are summarised in a short visual infographic and in full below. We have also noted variations in responses across the participants, reflecting the diversity amongst organisations’ views and experiences. The participants were drawn from the participants of the quantitative survey. The Technical Report provides supplementary information about the methodology followed for the qualitative interviews. A broad range of organisations participated including commercial and retail businesses and industrial service providers, legal and accountancy service providers, public and local government organisations and social and non-profit organisations. Although the small sample means that we should be careful when generalising the results, the summary of the main themes of the responses provides valuable additional insight when considering the quantitative survey findings.
Types of processing
As the organisations covered a range of activities and sizes, it is important to note that the scale of data processing, and the data subjects this relates to, vary across the interviews. Some of the respondents dealt with all of the data processing themselves, others employed third party services, such as accounting software, which aided in the management and security of data within the organisation, while others utilised a hybrid approach.
Organisations interviewed also differed in their approach to the use of data within their organisation. Some used data to support the operations of their activities, including commercial exploitation, while others used data to support service delivery, and others used data they held in only very limited cases, such as in the case of a local library.
Views from a Community Library
“The resources we will have used will come from the legal department at the county council but have also spoken many times with Citizens Advice and ACAS, but never the ICO.”
All of the organisations interviewed held personal data and some had established approaches for data protection, before the introduction of GDPR. In some cases, this changed a lot following the introduction of the legislation, with organisations mentioning they were not as able to access or share personal data as they were before introduction of the legislation, while in others it represented only minor changes to existing methods for protecting data held by the organisations and was seen as beneficial for creating structures and establishing processes.
Views from a local sight loss charity
“I could imagine for other people that didn’t already have this in place it would have been difficult, but because we did – it sounded scary when it was announced but then had a look and realised we were already doing it all; now we record that we are doing it rather than naturally doing it.”
Views on data protection legislation
The quantitative survey findings indicated that while 32% of data controllers found data protection law to be an enabler to their core activities and 24% perceived data protection law as a constraint at least to some extent, 16% of data controllers suggested that data protection legislation had acted as both an enabler and a constraint on their core activities. The qualitative interviews provide insight into these views, discuss the positive and negative impacts of the legislation, and delve into some data controllers’ views that concurrently discuss both aspects of data protection legislation for their activities.
Of those data controllers interviewed, eighteen were either positive or neutral about the overall impact of regulation on their operations, with the majority of this group discussing positive impacts. Those data controllers reporting the impact of legislation as overall positive, identified a range of benefits, including the streamlining of existing practices, clarity on what could be done and improving the confidence of customers and public services users, relating to their data. Respondents also mentioned unanticipated benefits, such as improved public consultations due to introduction of anonymity in a parish council’s consultation process and reduced printing costs due to providing advertising material only to customers that had joined a theatre’s mailing list. Costs, which included training, software and hardware, were not viewed as outweighing these benefits, and in many cases were seen as an ongoing cost of operating, rather than being specifically related to legislation such as GDPR
Views from a plant nursery
“And that benefits our business...a big chunk of our business is online, either directly or indirectly...And if individuals don't feel that they are well protected then I am sure they would find alternative ways to shop.”
Agreement that the impact had been positive was not universal; two data controllers felt that the impact had been negative overall. A small retailer expressed a view that broadly all regulation introduced by the Government increased costs and made their business harder to run and was therefore unable to identify the value that regulation could provide for organisations. A respondent providing insights from a public organisation, a prison, suggested that the requirements of gaining permission for accessing and sharing data was making it harder for them to efficiently achieve their objective of rehabilitating prisoners. These views provide an important comprehensive insight in data controllers’ experiences engaging with regulation put in place.
The costs of compliance
When discussing the introduction of legislative requirements, such as the introduction of data protection law, it would not be unusual to observe monitoring and compliance costs for organisations. The quantitative findings have indicated that 35% of organisations have faced costs in order to comply with UK GDPR in the past 12 months. Data controllers interviewed in the qualitative study identified costs for software and subscriptions, costs of creating a new role to manage data protection policies, costs for data storage and increased liability insurance premiums. The costs generated were not characterised as being significant to the operation of the organisations and in many cases expenditure, such as training, software or revising policies was characterised as part of the ongoing costs of operations. One respondent identified costs as being an issue, though this was not supported by a clear statement of those costs. Overall respondents acknowledge costs in complying with the legislation, however, they broadly seem to perceive them as costs relevant to carrying out their activities.
Views from a law firm
“At the time [of the introduction of GDPR] we didn’t realise the impact from an ongoing resource point of view. Both direct and indirect, but more indirect. It is difficult to quantify and predict the costs.”
Views from a business buying, selling and renting shipping containers
“We have a much better understanding of what we can and cannot do, we've had to change our focus slightly so actually it is not affected us.”
“Nobody understood what it was, but GDPR makes it a lot clearer, both to understand and to follow.”
The ICO’s guidance to data controllers
Of those data controllers asked, many had made direct visits to the ICO website and consulted guidance on areas of interest. Views on the clarity and specificity of that information differed - although several noted that the material was clearly presented, others felt it was too technical.
Views from a solicitor, dealing with commercial and private legal issues
“Occasionally, we go to visit the website of the ICO to make sure that there is nothing new, and sometimes on our continuing development courses, we have sections on data protection.”
The findings also highlight that the ICO was one of a range of sources used for obtaining information about data protection legislation. Some relied on parent organisations, others on consultations with related organisations, such as trade bodies, while others relied on providers of accounting software, or other providers of guidance, such as the Citizens Advice Bureau.
Views from an agricultural engineering company
“The main resource again is through our software because they update us as to what the new legislation is.”
Views from a vehicle leasing company
“We normally get guidance and consulting support from the finance company that we deal with.”
Summary
The qualitative interviews are an interesting addition to the evidence from the quantitative part of the Data Controllers Study. They demonstrate that organisations that engage with data protection legislation have developed informed views about the impact of data protection and provide a nuanced insight in data collection, processing and storage, and the costs of compliance. Additionally, the responses demonstrate that the ICO’s guidance and information is not often consumed directly by data controllers, and is often being used in combination with guidance from other sources.