The State of Online Privacy in the UK: Are We Doing Enough?

The EU General Data Protection Regulation (GDPR) came into effect in May 2018. A stringent data privacy and security regulation, it imposes strict requirements on organisations that collect and process the personal data of EU citizens and levies heavy fines for violations.   

The regulation was developed to protect EU residents and citizens’ personal data in line with technological advances, like targeted advertising and email marketing. Despite the United Kingdom exiting the European Union, the UK still retains the GDPR in domestic law as the UK GDPR.   

However, while businesses endeavour to protect the data they hold, threat actors are still lurking – and looking for opportunities to strike. Data breaches are on the rise, malicious actors are developing increasingly sophisticated attack methods, and organisations are under more scrutiny than ever regarding data privacy and how they secure consumer information.   

Businesses are Struggling to Keep Data Secure  

In ISMS.online’s State of Information Security Report 2024, which surveyed 502 UK businesses across a range of sectors, only 1% of respondents stated that their company had not received a fine for a data breach or violation of data protection rules in the previous 12 months. 76% of organisations said they’d received fines between £50,000 and £500,000, with over a third (35%) receiving fines between £100,000 and £250,000.   

Worryingly, these missteps are issues at a global scale – just 1% of Australian respondents and no US respondents stated their business had not received fines.  

The impact of data breaches on businesses can’t be understated. The global average cost of a data breach hit an all-time high in 2024 at $4.88m, a 10% increase from 2023 and the highest total ever. Customer trust and brand reputation are also heavily impacted: a study by ISACA revealed that 33% of consumers report having severed ties with a company known to have experienced a breach, and 36% believe companies under-report breaches, even if required by law.  

Consumers are Exercising Their Data Privacy Rights  

As organisations struggle to comply with regulations and contend with data breaches, consumers are becoming increasingly concerned about their data privacy and the organisations to which they give their information. So, how do consumers research a company’s data privacy reputation?  

• 67% of consumers read reviews from other consumers  

• 39% of consumers carefully read company policies  

• 35% of consumers check if the company has experienced a data breach  

• 31% of consumers read discussions on social sites (e.g. Reddit)  

• 15% of consumers check with associations.  

Over two-thirds (67%) of UK consumers now look for social proof, like reviews from other consumers on trusted websites, before giving their data to an organisation. Meanwhile, 39% say they carefully read company policies, a far cry from the days of buyers casually scrolling past the terms and conditions to click ‘accept’ and move on. 35% say they check if a company they intend to purchase from has experienced a data breach.  

Consumers in the UK are aware of and exercise their data privacy rights.  

These are the most common ways UK adults exercise their data privacy rights, according to Statista:  

• 70% asked an organisation to stop sending them marketing through electronic means  

• 31% asked an organisation to stop using their personal information or data altogether  

• 31% refused to provide an organisation with their biometric data  

• 29% asked an organisation to delete any personal information or data collected about them.  

How Organisations Can Improve Their Data Privacy Practices  

Ensuring your business complies with GDPR regulations is a legal requirement and a key step in ensuring data privacy. However, to establish and build organisational trust, it’s important to consider other ways to secure customer information beyond the baseline requirements set out in the legislation.   

Implement a Privacy Information Management System with ISO 27701   

ISO 27701 is an international standard for data privacy and an extension of the ISO 27001 information security standard. It provides a framework for your organisation to establish, implement, maintain and continually improve a privacy information management system (PIMS) and ensure robust ongoing compliance with data protection legislation like GDPR. ISO 27701 is available as an add-on to an existing ISO 27001 certification.  

The standard establishes requirements for building a comprehensive PIMS and guides data controllers and processors in handling personally identifiable information (PII). As part of ISO 27701 implementation, you’ll:  

• Determine privacy legislation and regulations that apply to your business  

• Determine the organisational scope of your PIMS  

• Establish a privacy security risk assessment and treatment process   

• Manage the relationship between your information security and PII protection  

• Consider and implement controls to protect the PII you control or process, for example:  

• Annex A.7.2.1 – Identifying and documenting the specific purposes for which the PII will be processed, for example, to process and deliver customer orders, manage payments and market services  

• Annex A.7.4.1 – Limiting the collection of PII to the minimum that is relevant, proportional and necessary for your identified purposes  

• Annex A.7.4.1 – Only retain PII for as long as is necessary for the purposes for which the PII is processed, for example, by establishing retention periods for specific record types.  

Many of your PIMS controls will build on the controls you establish in your ISO 27001 information security management system (ISMS), such as your access control policy, information backup process, and information classification. This enables your organisation to take a unified approach to addressing information security and privacy risk, reducing the risk of data breaches and demonstrating your commitment to security to your customers and prospects.  

Establish Transparent Data Handling Processes  

Transparency in data handling processes is required for GDPR compliance, but it also increases consumer confidence in your organisation’s security measures. Lawful, fair and transparent data handling includes:  

• Identifying and documenting the purposes for which PII will be processed, for example, delivering products and services, processing and delivering orders or marketing and promoting services  

• Identifying and documenting the relevant lawful basis for the processing of personal data, such as consent from PII principles, performance of a contract or compliance with a legal obligation  

• Limiting the collection and processing of PII to the minimum that is necessary for the relevant task to align with privacy by default and privacy by design principles  

• Implementing processes for record protection including access control, classification of information and specified retention periods.   

The above practices are also required for successful ISO 27701 compliance and certification.  

Employee Training and Awareness  

It is vital to train your employees to protect the personal information you hold and handle it responsibly. Consider establishing an employee training and awareness programme that addresses the importance of keeping data safe and secure. You should also share your data processing and handling policies with relevant employees, for example, employees who regularly access the PII you hold as part of their day-to-day role.   

Onboarding is an ideal time to ensure a new employee is aware of your approach to data security, and regular refresher training helps keep data privacy responsibilities in mind.   

Safeguarding Data Privacy is Everyone’s Responsibility  

UK consumers know the risk of sharing personal information with organisations should a business fall victim to a data breach or simply fail to handle their information correctly. However, as consumers, we can also take simple steps to protect our personal information:   

• Good password hygiene, such as passwords with 12 or more characters, strings of unrelated words, and numbers and special characters  

• Only using secure WiFi connections and not connecting to public WiFi with limited security measures.  

• Ensuring we’re aware of how to identify a potential phishing attempt via email or text  

• Reporting suspicious texts to Action Fraud by forwarding the message to 7726 so it can be investigated   

• Checking if an email address has been compromised in previous data breaches using Have I Been Pwned, and changing passwords accordingly.  

With businesses establishing stronger, more robust privacy measures such as those outlined in ISO 27701 and consumers taking steps to protect themselves and their data, we can take a unified approach to data protection, strengthen data security and thwart the efforts of malicious actors.