The gathering, use and switch of knowledge has change into more and more vital in the course of the twenty first Century, each to folks and to trade. There may be continued scope to enhance our primary understanding of what information is used for, its worth and the significance of with the ability to transfer information round, each domestically and internationally. This survey is meant to assist the Authorities develop its proof base on this regard and is its first iteration.
81% of all companies surveyed mentioned they deal with digitised private information, digitised non-personal information, or each, and use of knowledge will increase significantly as companies change into bigger. This contains information collected from the companies’ staff (for instance, for HR or payroll functions) and information collected from elsewhere (corresponding to buyer information).
Determine 1: Share of companies that mentioned they deal with any type of digitised information (companies can accumulate information from each sources proven)
Whole (all companies) 81% Micro (0 to 9) 79% Small (10 to 49) 99% Medium-sized (50 to 249) 99% Massive (250+) 100%
Base: 4,500 UK companies
Nearly all companies with ten or extra staff accumulate information. Observe that micro companies embody sole merchants, and that sole merchants make up an estimated 76% of companies.[footnote 1]
Round three quarters of companies mentioned they accumulate information apart from that collected from staff.
Determine 2: Share of companies that deal with information from sources apart from their staff
|Companies||Both or each||Private information||Non-personal information|
|Whole (all companies)||74%||63%||48%|
|Micro (0 to 9)||73%||62%||46%|
|Small (10 to 49)||83 %||71%||68%|
|Medium-sized (50 to 249)||91%||80%||75%|
Base: 4,500 UK companies
Solely 4% of huge companies (these with no less than 250 staff) mentioned they don’t use information from sources apart from their staff. Nevertheless, information use can also be widespread amongst smaller companies with three quarters of micro-businesses (these with fewer than ten staff, together with the self-employed) saying they deal with both kind of exterior information.
The next chapters present some high-level outcomes, each from the quantitative survey and longer, extra in-depth qualitative interviews, with companies throughout the UK. We plan to undertake additional evaluation and publish extra detailed outcomes, together with tables of knowledge, within the autumn which we hope will show helpful in others’ analysis.
Chapter 1: Introduction
Code of observe for statistics
The UK Enterprise Information Survey is an official statistic and has been produced to the requirements set out within the Code of Observe for Statistics.
Publication date: thirteenth Could 2021
Geographic protection: United Kingdom
The Division for Digital, Tradition, Media & Sport (DCMS) commissioned the UK Enterprise Information Survey to assist the Division perceive the importance of knowledge to trade, what it’s used for and the way it drives the financial system. It additionally seeks to develop the proof base across the worldwide movement of knowledge and difficulties encountered, as properly the understanding amongst trade of the related regulatory framework.
That is the primary time this survey was carried out and it was carried out by IFF Analysis. It covers:
- how companies deal with information, the sorts of information they use and what it’s used for
- companies’ consciousness and understanding of, and difficulties encountered in, information safety rules
- companies’ data of and interplay with the Info Commissioner’s Workplace, the UK’s information safety authority
- worldwide information transfers and the mechanisms through which these are carried out
- if a enterprise doesn’t use information, what makes them completely different from companies that do
DCMS commissioned IFF Analysis to hold out a questionnaire-based phone survey of 4,500 UK companies from tenth November 2020 to twenty ninth January 2021. This was accompanied by 20 in-depth interviews in February 2021, to achieve additional qualitative insights from a number of the organisations that answered the survey.
In each instances, the samples have been chosen to offer sturdy protection by UK area, enterprise dimension (variety of staff) and sector. Weighting by these traits was utilized to the information to make sure that the outcomes replicate the UK enterprise inhabitants.
Many questions have been requested to a subsection of the general pattern. The place that is the case, it has been indicated within the supporting textual content.
A screening and query routing course of was employed to minimise events when companies initially mentioned they don’t accumulate or use information however in truth do. It was useful to outline what is supposed by ‘information’ for the needs of this analysis, and the definition given to respondents initially of the interviews was as follows:
Digitised info that your organisation could maintain, for instance issues corresponding to monetary information and names and addresses of staff and prospects. All companies use information in some kind, and we’re taken with talking with all companies even should you solely take care of a small quantity of digitised information.
The survey focussed on digitised information since, though non-digitised private information (corresponding to paper information) is roofed by information safety laws, it’s thought that digitised information is by far the extra prevalent kind, and more and more so. As such, it thought of was higher to pay attention the restricted pattern on companies that use digital information.
Interpretation of findings
The survey outcomes are estimates and topic to margins of error, which range with the dimensions of the pattern and the share determine involved. Share outcomes, and subgroup variations by dimension and sector, have been highlighted solely the place statistically vital (on the 95% confidence stage).
How one can interpret the qualitative information
The qualitative survey findings supply extra nuanced insights into how and why companies maintain attitudes or undertake behaviours close to information. The findings reported right here signify frequent themes rising throughout a number of interviews. The place examples or insights from one organisation, or a small variety of organisations are pulled out, that is as an instance findings that emerged extra broadly throughout interviews. Nevertheless, as with all qualitative findings, these examples will not be supposed to be statistically consultant, and can’t be generalised throughout the inhabitants.
Chapter 2: How companies deal with information
Of companies that mentioned they use any type of digitised information, 93% mentioned they purchase private information from people by means of them volunteering info (for instance if a brand new buyer registers with them).
As proven in Determine 3, of companies that mentioned they accumulate private information, both from staff or elsewhere, by far the commonest supply of non-public information is staff, prospects or different people, with 85% saying they accumulate private information from these sources, though 1 / 4 of companies acquire private information from different companies.
Determine 3: Sources of non-public information as a share of UK companies who use digital information
Workers, prospects and different people 85% Different companies 25% Public our bodies 13% Charities or non-profit organisations 10% Different branches of your individual enterprise or company group 7% Don’t know 7% Refused to reply 2%
Base: 3,630 UK companies that accumulate private information
This was additional backed by the in-depth, qualitative interviews the place main types of buying private information is thru prospects volunteering info, corresponding to buyer information by means of incoming enquiries and orders, worker information as a part of potential employment, amongst others. For some sectors, income wouldn’t be potential with out private information in any respect. As one of many interviewees highlighted:
If we don’t discuss to our prospects, we aren’t going to promote them something.
Non-personal information corresponding to gross sales or stock-level information can also be quite common, with round half of those companies saying they generate such a information. In-depth interviews additionally added the necessity for companies buying or producing non-personal information corresponding to gross sales information to map tendencies, and perform monetary projections and budgeting. Non-personal information can also be used to launch promotions, load/low cost costs or perceive which merchandise they should inventory kind of of based mostly on gross sales ranges.
DCMS needed to know whether or not or not data-use in enterprise has change into simpler or extra prevalent amongst companies. Round half the companies that use digital information mentioned that information had change into extra available within the final ten years. We requested these explicit companies in regards to the benefits this gave them and round half mentioned that it had enabled them to innovate and carry out new capabilities. An excellent bigger proportion, round 60%, mentioned that it had led to effectivity enhancements.
Round two thirds of UK companies that accumulate private information mentioned they’ve a privateness administration framework or information safety technique in place. Of the subgroup of people who have staff, the overwhelming majority (93%) felt that their staff have been proficient in dealing with private information. One enterprise talked about in an in-depth, qualitative interview that its Information Safety Officer (DPO) has good guidelines in place to make sure compliance relating to information transfers, and make sure that the correct contracts are in place to mitigate the dangers.
Determine 4: Share of companies that expressed confidence of their staff’ proficiency in dealing with private information
|Enterprise||Very assured||Fairly assured||Neither assured nor unconfident||Not assured||Don’t know/Refused|
|Medium-sized (50 to 249)||50%||45%||4%||1%||0%|
|Small (10 to 49)||59%||35%||5%||1%||0%|
|Micro (0 to 9)||61%||31%||5%||2%||1%|
|Whole (all companies)||60%||33%||5%||1%||1%|
Base: 1,909 UK companies that accumulate private information and make use of workers
It’s potential that that is an overestimate if companies are reluctant to confess a insecurity of their staff’ skills. The extent of confidence is barely decrease for big companies than for small or micro ones. As steered by the in-depth, qualitative interviews, it might be that the extent of confidence expressed is a operate not solely of the proficiency of the staff but in addition the complexity of the enterprise’s information and associated processes.
In these interviews, quite a lot of the companies have been ‘fairly assured’ of their staff’ skills in dealing with private information. An interview with a privateness and compliance officer of a big enterprise highlighted the complexity of huge companies, noting that also they are conscious that their enterprise as a complete “does probably not perceive the authorized guidelines”.
Chapter 3: Information safety regulation
The Basic Information Safety Regulation (GDPR) was launched into UK regulation in 2018, within the type of the Information Safety Act (DPA) 2018. DCMS needed to study companies’ response to this new laws.
The survey finds that companies that accumulate private information (both from their staff or elsewhere) have carried out quite a lot of actions because of GDPR and DPA 2018 to, for instance, guarantee compliance with the laws.
Determine 5: Share of companies that carried out a selected motion in response to GDPR and DPA 2018
Rewritten or launched privateness discover 52% Launched new course of to implement DP measures 51% Rewritten phrases and situations 50% Launched opt-in consent mechanisms 40% None of those 25 % Run coaching for current workers 17% Sought authorized recommendation 16% Responded to Topic Entry Requests 15% Bought specialist software program for information safety 14% Employed new workers or outsourced specialist workers 5% Different 2% Improved safety of knowledge storage 1% Don’t know/Refused to reply 1%
Base: 3,630 UK companies that accumulate private information
*‘Rewritten or launched a cookie coverage’ is suppressed to keep away from disclosure, resulting from low response numbers
As proven above, essentially the most commonly-stated actions are privateness notices, new processes, phrases and situations, and opt-in mechanisms, which primarily seem like the extra public-facing ones. A little bit over half the companies mentioned that they’d carried out new processes with a view to adjust to the foundations. 1 / 4 of the companies mentioned they carried out none of those actions, though it isn’t recognized why.
A considerable proportion of respondents felt that there had been advantages to their enterprise from the implementation of GDPR and DPA 2018, with solely round 1 / 4 saying that there had been no advantages (see Determine 6).
Determine 6: Share of enterprise that talked about what, if any, benefits GDPR and DPA 2018 had delivered to their enterprise
Elevated consciousness of knowledge safety at a senior stage 58% Improved consciousness of knowledge as a enterprise asset 45% Accountability 44% Improved our inner processes for sharing information 40% Elevated client belief 34% Enhanced companies status 27% Elevated different companies’ belief 27% There have been no advantages 26% Don’t know/refused 2% Basic Enterprise enhancements 1% Higher processes for administration / information storage 1% Extra environment friendly / improved communication 0% Different 0%
Base: 3,630 UK companies that accumulate private information
In-depth interviews delivered to gentle different advantages corresponding to extra respectful remedy of client information, protecting their databases updated by eradicating any previous information, making rules clearer and gaining enterprise by constructing prospects’ belief and confidence in them.
Nevertheless, in these interviews, one respondent at a small enterprise talked about the period of time they needed to spend to coach themselves on the topic and put documentation collectively:
I had to spend so much of time studying it and placing documentation in place to verify that what we have been doing was right.
And a big (250 or extra staff) enterprise highlighted the time spent responding to topic entry requests:
We obtain over 100k requests per yr.
Desirous about companies’ prospects, the respondents have been requested in regards to the extent to which they agreed with the next statements regarding their prospects, GDPR and DPA 2018.
Determine 7: Share of companies that agreed or disagreed with statements about their prospects
|Assertion||Strongly agree||Are likely to agree||Neither agree nor disagree||Are likely to disagree||Strongly disagree||Don’t know|
|Your prospects make lively decisions based mostly on information safety issues||10%||30%||21%||23%||9%||7%|
|Your prospects make lively decisions based mostly on their belief of an organization||34%||43%||12%||4%||2%||5%|
|The extra well-informed your prospects are about information protections, the extra keen they’re to share private information||18%||34%||23%||14%||4%||7%|
|Your prospects perceive their rights||24%||40%||20%||8%||3%||5%|
Base: 3,136 that accumulate private information apart from from their staff
The ends in Figure 7 recommend that companies think about the belief their prospects put in them to be vital, with 77% of companies saying that this influences the alternatives their prospects make. Of the 4 statements above, the one agreed with least was in regard to prospects making decisions based mostly on information safety issues.
Chapter 4: Info Commissioner’s Workplace
The Info Commissioner’s Workplace (ICO) is the UK’s unbiased physique set as much as uphold info rights within the public curiosity. Discover out extra on the ICO website.
As proven in Figure 8, round two thirds (65%)[footnote 2] of companies mentioned they’ve heard of the ICO, though round a 3rd of those that had heard of the ICO mentioned they didn’t know what it’s. Consciousness of the ICO will increase significantly with enterprise dimension, with 87% of huge companies (these with no less than 250 staff) saying they’d heard of the ICO, in contrast with 58% of small companies. Solely a small minority (6%) of huge companies mentioned they’d heard of the ICO with out figuring out what it’s, in contrast with 21% of small companies.
Determine 8: Share of companies which have heard of the ICO or not
|——————————-||I haven’t heard of the ICO||I’ve heard of it however don’t know what it’s||I’ve heard of it and know what it’s|
|Whole (all companies)||35%||22%||44%|
|Micro (0 to 9)||37%||22%||42%|
|Small (10 to 49)||21%||21%||58%|
|Medium-sized (50 to 249)||11%||19%||70%|
Base: 3,945 UK enterprise that accumulate digitised private and non-personal digitised information (both from staff or elsewhere)
By far, the ICO-provided service used most frequently by companies which have heard of the ICO is its on-line steerage and Data Protection Hub, with 41% of those companies reporting having used this service. This service helps people and organisations navigate information safety. 70% of companies that used this service mentioned that they discovered it to be helpful.
Chapter 5: Worldwide information transfers
It is necessary for the federal government to know the character of the movement of knowledge into and out of the UK, why that is vital for companies, and what difficulties companies face in endeavor the worldwide switch of knowledge.
As was proven in Figure 1, 81% of companies mentioned they use digital information, and this part applies to those companies solely. Solely a comparatively small minority of these companies (12%) alternate (ship or obtain) private or non-personal information between the UK and organisations or folks outdoors the UK.
This additionally implies that this and the next sections relate to a a lot smaller pattern of companies than the earlier sections. The pattern dimension is nonetheless massive sufficient to offer sturdy general outcomes with out breaking them down into smaller cohorts corresponding to by dimension.
10% (12% of 81%) of all UK companies ship or obtain digitised information, both private or non-personal, to/from organisations or folks outdoors the UK.
As information safety laws is meant to guard people from the misuse of knowledge about them, and subsequently solely applies to non-public information, you will need to have an thought of the break up between private versus non-personal information that companies share internationally. The pattern dimension for this cohort is just too small to interrupt Figure 9 down by enterprise dimension.
Determine 9: Share break up between companies that share private information solely, non-personal information solely or each, internationally
|Information||Private information solely||Non-personal information solely||Each private and non-personal information||Don’t know/Refused to reply|
Base: 624[footnote 3] UK companies that ship or obtain information outdoors the UK
Private and non-personal information can usually be tough to separate, and so additional evaluation of the survey information shall be required to look into the sorts of information utilized by companies that responded with private information solely or non-personal information solely, versus people who use each.
The principle causes given for not sharing information internationally have been companies had no enterprise want to take action (92%) or that their enterprise doesn’t function internationally (78%). Some companies, round 20%, had issues in regards to the authorized dangers and uncertainty of worldwide information transfers, this being of larger concern to massive companies, at round 30%, which additionally had much less of a problem with the assets required.
In-depth, qualitative interviews additionally highlighted difficulties for companies in decoding the legal guidelines of a vacation spot nation, and the dangers concerned with transferring information. One massive enterprise added that getting authorized recommendation from a lawyer a couple of vacation spot nation can current a big value burden.
Chapter 6: Worldwide switch mechanisms
In Chapter 5, companies that accumulate and use digitised information have been requested whether or not or not they alternate information (both private or non-personal information) between the UK and different nations. As talked about in that chapter, 12% mentioned they did. These companies have been then requested additional questions in regards to the authorized mechanisms they make use of to undertake these transfers.
There are a variety of authorized safeguards companies use to lawfully switch information outdoors the UK. A few of these, corresponding to Normal Contractual Clauses (SCCs) solely apply to non-public information, although many can apply to any kind of knowledge, corresponding to encryption.
Determine 10: Share of companies that alternate information internationally and that use a selected authorized safeguard
Adherence to a code of conduct 40% Normal Contractual Clauses (SCCs) 40% None of those 31% Privateness Protect 20% Binding Company Guidelines (BCRs) 20% Certification 17% Adequacy 13% Exceptions for particular circumstances 11% Don’t know 8% Encryption 3% Phrases and Situations 2% Different 2% Non Disclosure Agreements 1% Different Agreements 1% Sought Recommendation 1% Refused to reply 0%
Normally, it will seem that use of those mechanisms will increase with enterprise dimension. The chart beneath exhibits the proportion of companies that alternate information between the UK and different nations however don’t use any of those switch mechanisms, that’s, people who chosen ‘none of those’ in Figure 10.
Determine 11: Share of enterprise that alternate information internationally however which don’t use any type of authorized safeguard
Massive (250+) 3% Medium-sized (50 to 249) 8% Small (10 to 49) 14% Micro (0 to 9) 34%
Adequacy (see Glossary for definition) is a vital mechanism because it allows the free-flow of non-public information while not having further measures corresponding to SCCs and Binding Company Guidelines. Concerning transfers between the UK and nations outdoors the EEA, that is solely relevant to the small variety of nations which have been given adequacy standing by the European Fee[footnote 4] and, by extension, the UK. For EU-UK private information transfers, the UK has maintained an extension to adequacy standing till June 2021. Due to this fact, EU information safety laws (GDPR) continued to use to the UK when the survey fieldwork was accomplished in January 2021.
The usage of adequacy (utilized by 13% of companies that alternate information internationally) as a switch mechanism will increase by enterprise dimension, with 54% of huge companies counting on adequacy in comparison with solely 18% of small companies.
Determine 12: Share of companies that alternate information internationally that use SCCs and adequacy, by enterprise dimension
|Division||Normal Contractual Clauses (SCCs)||Adequacy|
|Medium-sized (50 to 249)||72%||36%|
|Small (10 to 49)||55%||18%|
|Micro (0 to 9)||37%||12%|
Some small companies that participated within the in-depth, qualitative interviews steered a necessity for some steerage from the ICO to assist guarantee different companies’ compliance, corresponding to authorities accreditation.
66% of companies which have carried out SCCs agreed that they facilitate adherence to secure dealing with of non-public information in observe. The next proportion, round 72%, thought that adequacy facilitated the secure dealing with of non-public information.
Companies have been additionally requested how straightforward or tough, usually, they discover utilizing any of those safeguards. 60% of all companies that used a safeguard mentioned they discovered it pretty straightforward or very straightforward, with 12% saying they discovered it pretty or very tough. There may be little or no distinction between companies of various sizes. A possible rationalization is that while the mandatory experience is extra out there to bigger companies, that is balanced out by the elevated complexity of bigger companies’ data-sharing and data-processing actions.
By and enormous, the issue was attributed to both the necessities being too sophisticated or bureaucratic, or to a common lack of information or issue understanding what the safeguards actually imply.
Information adequacy is a standing granted by the European Fee to nations outdoors the European Financial Space (EEA) which offer a stage of non-public information safety similar to that offered in European regulation. When a rustic has been awarded the standing, info can go freely between it and the EEA with out additional safeguards being required. Information adequacy may also be awarded to specified sectors of an financial system or worldwide organisations.[footnote 5]
Binding Company Guidelines (BCRs)
Binding company guidelines (BCR) are information safety insurance policies adhered to by firms established within the EU for transfers of non-public information outdoors the EU inside a bunch of undertakings or enterprises. Such guidelines should embody all common information safety ideas and enforceable rights to make sure acceptable safeguards for information transfers. They should be legally binding and enforced by each member involved of the group.
Code of Conduct (CoC)
Below the UK GDPR, commerce associations and different consultant our bodies could draw up codes of conduct that establish and handle information safety points which are vital to their members, corresponding to truthful and clear processing, pseudonymisation or the train of individuals’s rights. They’re a great way of creating sector-specific tips to assist with compliance with the UK GDPR. There’s a actual profit to creating a code of conduct as it may well assist to construct public belief and confidence in your sector’s means to adjust to information safety legal guidelines.
Encryption is the conversion of knowledge from a readable format into an encoded format that may solely be learn or processed after it has been decrypted. Encryption is the fundamental constructing block of knowledge safety and is the best and most vital approach to make sure a pc system’s info can’t be stolen and skim by somebody who desires to make use of it for nefarious functions. For instance, it’s utilised by each particular person customers and enormous firms to make sure the safety of person info that’s despatched between a browser and a server on the web. That info may embody all the things from cost information to non-public info. Companies of all sizes usually use encryption to guard delicate information on their servers and databases.[footnote 8]
Non-disclosure agreements are an vital authorized framework used to guard delicate and confidential info from being made out there by the recipient of that info. Firms and start-ups use these paperwork to make sure that their good concepts won’t be stolen by folks they’re negotiating with. These agreements could also be referred to alternatively as confidentiality agreements (CA), confidentiality statements, or confidentiality clauses, inside a bigger authorized doc.[footnote 9]
Privateness Protect is an settlement between the EU and US permitting for the switch of non-public information from the EU to US. Privateness Protect is designed to create a program whereby taking part firms are deemed to have enough safety, and subsequently facilitate the switch of knowledge. Briefly, Privateness Protect permits US firms, or EU firms working with US firms, to satisfy this requirement of the GDPR.[footnote 10] In 2020 the Court docket of Justice of the European Union within the Schrems II ruling invalidated Privateness Protect for US-EEA private information transfers.[footnote 11]
Normal Contractual Clauses (SCCs)
Normal Contractual Clauses (SCCs) are normal units of contractual phrases and situations which the sender and the receiver of non-public information each signal as much as, geared toward defending private information leaving the European Financial Space (EEA) by means of contractual obligations in compliance with the GDPR’s necessities in territories which aren’t thought of to supply enough safety to the rights and freedoms of knowledge topics. SCCs are significantly vital within the sphere of knowledge safety, as these contribute in direction of a harmonised method that issues cross border processing or processing that impacts the free movement of non-public information or pure individuals inside the EEA itself, permitting for the constant implementation of the GDPR’s particular provisions.[footnote 12]
Phrases and Situations
Phrases and Situations is the doc governing the contractual relationship between the supplier of a service and its person.
The Division for Digital, Tradition, Media & Sport wish to thank IFF Analysis for its work in creating the survey and finishing up the fieldwork.
For common enquiries contact:
Division for Digital, Tradition, Media & Sport
100 Parliament Avenue
Phone: 020 7211 6000
E mail: firstname.lastname@example.org
This report has been printed in accordance with the Official Statistics Code of Practice.