Thales eSecurity Blog

More than half of consumers would consider legal action if their data was compromised during a breach

Peter Galvin
Peter Galvin | Chief Strategy Officer More About This Author >

Six months on from the legal implementation of the General Data Protection Regulation (GDPR), a third of consumers have admitted they still aren’t confident that the companies they interact with comply with the regulation. Furthermore, 16% of organisations across the UK and Germany confessed to not having been ready in time for the legislation, according to our research into consumer and business perceptions of the GDPR, six months after its roll-out.

More than half of consumers would consider legal action if their data was compromised during a breach

Our research has highlighted that 86% of consumers would consider switching to another company if a breach were to occur, with 35% of consumers stating that a data breach under the GDPR would ‘definitely’ give them a negative perception of a company. More than two thirds (69%) also stated they would think about initiating legal action against a company which failed to manage their personal data under the GDPR.

A surprising 17% of UK consumers said they still hadn’t heard of the regulation compared to just 9% in Germany. A quarter (25%) of people in both regions revealed that they could not explain the GDPR in any way.

Ready or not

In light of consumer concerns, members of the C-Suite were asked whether their organisation was prepared for the legislation in time for the May 25 2018 deadline. The majority (84%) of businesses reported being ‘completely’ ready, with a further 11% being somewhat prepared. Those across the manufacturing and utilities industries had the highest preparedness rates at 91%, while retail had the lowest across both countries at 78%. UK businesses fell slightly behind their German counterparts, however, with a 10% difference in the number of organisations that met the official deadline.

Since the implementation of GDPR, one third (33%) of UK businesses have contacted the Information Commissioner’s Office (ICO) to check the severity of a data breach, while just less than half (49%) of German organisations have done the same with the Data Protection Commissioners.

Gaining and maintaining consumer trust

With over 40% of UK companies turning to the ICO in the first six months of the GDPR implementation, it’s hardly surprising that consumers still lack confidence around the privacy and safety of their personal information. As data breaches continue to hit the headlines on what seems like a daily basis, it’s almost impossible for anyone to believe their data is in good hands.

This immediately puts organisations at a disadvantage in gaining consumer trust, especially given people’s willingness to switch companies following a breach. With the GDPR putting consumers in a newfound position of power, it’s down to organisations to show they are rethinking their approach to data security, ensure they are fit for compliance, and enhance their relationships with consumers.

The cost to business

UK businesses also ranked second when it came to financial investment into preparing for the GDPR, with UK spend averaging £86,806, while German organisations invested an average of €210,653. Only three in ten of enterprises across the UK spent more than £10,000 preparing themselves, whereas more than half did the same in Germany. At the other end of the scale, 16% of German organisations invested between €500,000 and €1 million to become compliant, compared with just 5% of organisations across the UK.

The regulation has also impacted the way enterprises interact and engage with third-parties, with 38% admitting to completely changing their security policies with contractors or vendors according to the GDPR, and a further 24% partially changing policies.

A view from the C-Suite

As well as having to alter external relationships in order to meet the new requirements, it appears that organisations in both countries have also been affected by the data protection law in a number of other ways, with not all of them being positive. Although designed to bring greater control to how data is handled and protected, 30% of CEOs, CIOs and CISOs felt that the introduction of the GDPR had in fact led to increased complexity.

Perhaps more worryingly, almost a quarter (23%) believe the regulation has resulted in a greater risk of data breaches, while a further 14% reported a negative impact on their relationships with international partners. It wasn’t all doom and gloom, however, as 18% of respondents across the UK and Germany felt that the regulation has had a positive impact on innovation for their organisation.

Please find a detailed breakdown of the 2,006 consumer respondents via gender, age and market below, as well as the criteria for the 1,006 CEOs, CIOs and CISOs surveyed by company size, region and industry sector. The survey was issued in November 2018 by Censuswide.

Respondent breakdown: consumer

Base number of survey participants Total Gender Age Market
Male Female 16-24 25-34 35-44 45-54 55+ UK Germany
2006 990 1016 359 456 345 341 505 1000 1006

Respondent breakdown: business

Total Company size
Sole Trader 1-9 employees 10-49 employees 50-99 employees 100-249 employees 250-500 employees 500+ employees
Base number of survey participants 1006 284 235 105 60 88 131 103
Region
East of England Greater London East Midlands West Midlands North East North West Northern Island Scotland South East South West Wales Yorkshire & The Humber
42 81 34 34 19 55 10 38 76 46 24 42
Industry sector
Architecture, Engineering & Building Arts & Culture Education Finance Healthcare HR IT & Telecoms Legal Manufacturing & Utilities Professional Services Retail, Catering & Leisure Sales, Media & Marketing Travel & Transport Other
60 53 40 71 45 12 197 16 42 153 147 41 28 101