Has the GDPR Delivered on its Promise?

In May, when the GDPR came into effect, over 3 in 4 UK consumers thought it would have a positive impact.

A large majority also described the legislation as being extremely or very important to them, ensuring companies are held accountable for any misuse of their data.

Four months on, internet users have become accustomed to seeing a wide range of privacy notices, consent boxes and other GDPR-related information online.

But has the initial positivity persisted? Are UK consumers happy with how companies have implemented the GDPR’s requirements?

1 in 10 think the GDPR has had a negative impact.

To gauge the current mood, we conducted a survey on over 1,300 UK internet users aged 16-64.

The results will make uncomfortable reading in some boardrooms, suggesting the GDPR hasn’t (yet) delivered on its promise to empower consumers.

Only 3 in 10 agree that the GDPR has had a positive impact on their day-to-day internet usage (with absolute consistency in this metric across all age and gender groups).

Meanwhile, almost 1 in 10 think it’s actually had a negative impact.

Over half also don’t think it’s had any impact at all, and some 10% still remain unaware of the GDPR.

This relative lack of enthusiasm revealed itself  once again when we asked consumers if they believed the GDPR has been effective in protecting their data – a view that just 3 in 10 would endorse.

Consumers are frustrated with lengthy privacy policies.

To understand why the GDPR hasn’t yet managed to shift the needle, we drilled down into the frustrations that people feel about it.

Top of the list are lengthy privacy policies and notices (39%), something which internet users are now faced with on a daily basis.

Similarly annoying are forced consent mechanisms (38%), as well as the constant need to give consent to multiple websites (37%).

Annoyance over long notices and policies rises directly in line with age, peaking at almost 50% among 55-64s.

In contrast, it’s the youngest groups who are most concerned about websites using their data in unexpected ways, and are frustrated with having to contact multiple partners separately in order to opt out.

The problem isn’t the legislation, but the implementation.

The research reveals these frustrations are not the result of the GDPR legislation itself, but how companies have chosen to implement their compliance strategies.

Some of this can be attributed to (understandable) corporate caution: every company wants to make sure it’s adhering to the requirements of the legislation, and some have perhaps unintentionally gone a little further than would be strictly required.

Even so, most of us will have seen instances where extremely consumer-unfriendly approaches have been adopted – from extensive lists of partners who need to be contacted individually to websites that lock the user out, unless wholesale consent is given.

Currently, there are too many instances where the user has to jump through hoops to make sure their voices are being heard, and/or where they’re not being given a truly free choice over how their data is being used.

Putting consumers first.

Looking at current consumer sentiment, we have to wonder how long such approaches will be allowed to persist.

The GDPR’s intention was (and is) to put the consumer first.

With our results showing this hasn’t yet been achieved, surely the burden rests on companies to adopt more consumer-centric approaches which quickly and easily allow consumers to express their preferences.

Without such a shift, too many consumers will continue to feel uncomfortable or overwhelmed, and legislators might feel compelled to take further action.