As experts in data protection law, we are eager to ensure that individuals do everything they can to protect their personal information.

A data breach can cause significant financial and emotional damage and distress to anyone whose personal information is illegally accessed, especially if it has been mishandled by an organisation you trusted.

Almost two years since GDPR was introduced as a measure to give the general public more control over their personal data, we wanted to gauge whether those in the UK and Ireland understand their rights under the legislation. Here is what we discovered.

One-in-five people don’t know what GDPR is

One-fifth (20%) of people in the UK and Ireland are not familiar with the term ‘GDPR’. Among respondents aged over 45, this figure rose to 25%.

While the majority of respondents said they know what GDPR is, gaps in knowledge were identified when asked about the guidelines. Only 28% of respondents understood what personal data could be legally kept by an organisation, while 15% wrongly said that companies were not able to keep any personal data at all.

The full list of personal data that can be kept by companies is:

  • Your name
  • Your date of birth
  • Your address or mobile phone GPS
  • Your telephone number
  • An online identifier, such as IP address or email address
  • The job you do
  • Your racial or ethnic origin
  • Identification numbers, such as National Insurance and passport
  • The items you view or buy online
  • Your bank details, including credit card
  • The school you went to
  • Information on your health
  • Biometric data, such as photos and fingerprints
  • Details about your partner/family
  • Any Trade Union membership
  • Your religious or philosophical beliefs
  • Your political opinions
  • Your passwords
  • Details of your sex life and sexuality

The survey also identified a lack of knowledge in relation to what companies can legally do with personal data. Only 26% correctly identified that organisations are able to do the following with personal information:

  • Use it to provide a service
  • Use it to make a recommendation
  • Use it to decide what you see online
  • Use it to directly sell to you
  • Sell the data to third parties

Some 14% of respondents incorrectly said that companies were not able to do anything with their personal data.

One-fifth of people have been a victim to a data breach

Our survey also revealed that 20% of participants have had their personal data exposed in an illegal breach. Of those who had been a victim of a data breach, only 7% made a claim. When asked why they hadn’t made a claim, 37% said they were not aware that they could do so, while 24% didn’t think it was a big enough concern to take legal action.

Anyone who has their data leaked due to the irresponsibility of a company is vulnerable to suffering financial losses. Regardless of how big or small these losses are, companies should be held responsible, especially if they failed in their duty to protect your information personal data.

While you may not have suffered any financial losses, you shouldn’t be left worrying about your personal information being used without your knowledge. Making a claim isn’t just about reimbursing a financial loss, it can be used to recompense any emotional distress and ensure that the organisation responsible for protecting your data puts suitable security methods in place to make sure this doesn’t happen again.

The number of people who have fallen victim to a data breach may be larger than what is reported in the survey, as 24% were not aware of their personal data being illegally accessed.

More than half of people in the UK and Ireland don’t know what a subject access request is

Despite 62% of respondents saying they do not trust companies to use their data responsibly, and 72% being greatly or somewhat concerned about organisations misusing their data, more than half (55%) of UK and Irish residents were not familiar with the means to request access to their data.

A subject access request (SAR) is a written or verbal request asking for access to personal information that an organisation holds or processes on you. You are able to make a subject access request whenever you want to any company that stores personal data. An SAR can be made for free; however, if a request is considered to be ‘manifestly unfounded or excessive’, a reasonable admin fee may be applied to a request.

The complete survey findings

Do you know what GDPR is?

Do you know what GDPR is

PercentageResponses
Yes79.91%875
No20.09%220

How would you rate your knowledge on GDPR?

How would you rate your knowledge on GDPR

PercentageResponses
Very knowledgeable7.54%60
Knowledgeable58.67%467
Not very knowledgeable31.53%251
Not at all knowledgeable2.26%18

Do you know what a subject access request is?

Do you know what a subject access request is

PercentageResponses
Yes45.50%450
No54.50%539

Do you have to pay to make a subject access request?

Do you have to pay to make a subject access request

PercentageResponses
Yes25.62%113
No74.38%328

To your knowledge. what personal data can organisations legally keep about you?

To your knowledge, what personal data can organisations legally keep about you

PercentageResponses
Your name66.20%572
Your date of birth59.14%511
Your address or GPS51.62%446
An online identifier41.78%361
Your telephone number49.88%431
Your bank details, including credit card19.91%172
Your passwords7.99%69
The school you attended18.17%157
The job you do24.88%215
Details about your partner/family15.05%130
Items you view/buy21.99%190
ID numbers22.69%196
Health information17.94%155
Biometric data, such as photos and fingerprints15.86%137
Your racial or ethnic origin23.26%201
Your political opinions7.99%69
Your religious or philosophical beliefs9.49%82
Trade Union membership11.69%101
About your sex life and sexuality6.13%53
None of the above15.39%133
All of the above27.66%239

What can companies legally do with your personal data?

What can companies legally do with your personal data

PercentageResponses
Use it to provide a service to you62.15%537
Use it to make recommendations41.90%362
Use it to decide what you see29.40%254
Use it to directly sell to you29.75%257
Sell your data to third parties10.53%91
None of the above14.12%122
All of the above26.04%225

Is a company legally required to share information if there has been a data breach?

Is a company legally acquired to share information if there has been a data breach

PercentageResponses
Yes62.27%538
No18.17%157
Don’t know19.56%169

Have you ever been the victim of a data breach?

Have you ever been the victim of a data breach

PercentageResponses
Yes20.95%181
No54.05%467
Don’t know25.00%216

Did you make a claim for compensation?

Did you make a claim for compensation

PercentageResponses
Yes7.14%13
No92.86%169

Why did you not make a claim?

Why did you not make a claim

PercentageResponses
Too much hassle9.58%16
Takes too long2.40%4
Too expensive
Don’t have a solicitor2.99%5
Didn’t think it was a big deal23.95%40
Didn’t know how to make a claim8.98%15
Didn’t know I could claim37.13%62
Other14.97%25

Do you trust that organisations will use your data responsibly?

Do you trust that organisations will use your data responsibly

PercentageResponses
Yes38.24%322
No61.76%520

How concerned are you about organisations misusing your data?

How concerned are you about organisations misuing your personal data

PercentageResponses
Greatly concerned17.81%150
Somewhat concerned53.80%453
Neither concerned or not concerned16.27%137
Not concerned9.26%78
Not thought about it2.85%24

Are you more aware of your data rights now than you were five years ago?

Are you more aware of your data rights now than you were five years ago

PercentageResponses
Yes81.83%689
No18.17%153