How many EU data subjects will leverage their GDPR rights?

GDPR may bestow on many EU citizens a set of rights as a “data subject” covered by the regulation. Organizations not respecting these rights could have serious financial consequences, reputational damage–or both. However, as I noted in my last blog–few people involved in GDPR projects believe that there will be a sharp increase in EU citizens exercising their rights as data subjects. Using current levels of interest individuals have shown in the usage, management and control of their data, many have projected that this aspect of GDPR will not be a significant burden on their organization. Admittedly, having ‘10s’ of data subjects is highly manageable on a manual basis, even accounting for human error. However, the manageability equation changes somewhat if the number of engaged data subjects can be counted in thousands, tens of thousands or even millions.

GDPR rightsI have no reliable way of looking into a post-GDPR world, where individuals are well informed as to their rights according to the law. People are likely to behave differently once they understand their rights, and how to exercise them. Past surveys of what individuals feel about data privacy, and the ability to control their data, can shed some light on potential behaviour change in the future.[i] My interpretation of these surveys is that Europeans in general will want to take control over their data–which will mean exercising their rights in much larger numbers than today. Consider the following survey results:

Approximately two thirds of people are concerned about their private data

Two separate surveys have come to the same number. In 2015 Eurobarometer found that 67% of respondents are ‘concerned about not having complete control over the information they provide online.’ This figure appears to be constant, as in 2017 Gigya’s ‘State of Consumer Privacy and Trust’ found 68% of respondents ‘don’t trust brands to handle their personal information appropriately’. A 2016 Deloitte survey on Americans showed more startling results. This survey found that 81% of respondents agreed, or strongly agreed that “Consumers have lost control over how personal information is collected and used by companies.”

61% of people take advantage of privacy settings if available

OK–so this subheading is a bit of a headline grabber, as it is only based on one social media site–Facebook. However, it is still relevant that Gigya found that as soon as Facebook offered additional privacy settings, a significant majority of people actively used these settings.

Today’s youth do care about privacy

We must not misinterpret the attachment of today’s youth to their mobile devices, and by extension to social media platforms, and sharing of data. Many people seem to think that they just need to wait a few years–the next generation will share data freely. This could be a misperception. I believe that those growing up with data sharing as second nature are far more aware of the dangers and lack of control once data has been shared.

A 2013 Pew survey of teenage social media use backed up my impression: 60% of teen Facebook users keep their profiles private and had high levels of confidence in their ability to manage their settings. This generation of social-media savvy people, also actively control their data. The survey showed that “74% of teen social media users have deleted people from their network or friends’ list; 58% have blocked people on social media sites”.

In 2015 the American Press Institute found that millennials, whilst “not highly concerned about privacy, the most frequently cited change in social media behaviour is paying more attention to and actively controlling their privacy settings than they once did.” The ‘around two thirds’ of people keeping data private, or actively managing data seems to hold true, even in younger generations.

Interestingly, a 2016 Deloitte survey found that in the US, the younger the respondent, the more likely they were to provide fake information to companies. The survey also showed the same trends with privacy settings. Roughly, the younger the respondent, the more likely they were to take control of their data through privacy settings, or not sharing accurate information in the first place.

Online trust is forecast to decrease

In 2017, the Pew Research Centre published an article on online trust. One of the six themes that came from their research was entitled: “Trust will diminish because the internet is not secure and powerful forces threaten individuals’ rights”. So, as much as individuals are concerned about their personal data now–this will only increase. Given the collective findings that today’s youth are more in control of their data than older generations–one quote from this article makes an excellent summary. Alf Rehn, professor and chair of management and organization at Åbo Akademi University in Finland, said, “Call it the iron law of internet trust–with more engagement comes more chances of glitches and hacks, which means that intelligent distrust will be a civic skill just like media literacy.” My interpretation: Intelligent distrust will drive closer protection and management of personal data over time.

Summary: Low levels of citizen engagement cannot continue

The results of these surveys show two trends:

  • Low trust in organizations who collect, manage and use personal data.
  • High levels of active privacy management –should the option be available.

The implication being that EU data subjects are likely to exercise their rights in significant numbers. There are two further possible sources for increasing activity around citizen data management and rights enactment:

  • Third party services that execute your rights for you
    • Potentially to expose companies who fall foul of the law, and are looking for a percentage of the compensation
    • Services that help you share you control access to your personal data[ii]
  • Mass protest against an organization
    • A mass enactment of rights with the express purpose of causing major disruption to an organization.

I have no basis in fact for the last two potential sources for increased enactment of data subject’s rights. However, human nature and the use of viral social media certainly point to these as possibilities.

There are around 510 million Europeans[iii] who may be protected and empowered by the GDPR. European demographics mean that 84% of these individuals–428 million people–are over 15. Just focussing on the first two drivers–(66% of Europeans actively concerned about data privacy), gives a large pool of 285 million people who are in theory in the correct state of mind to exercise their rights

The good news: Good data stewardship is good for business

The surveys included in my desktop research imply that people will welcome the increased control of their data that the GDPR provides to them, and will actively leverage their rights. Organizations should take this into consideration when prioritising solutions and business processes around data subjects’ rights amongst all their GDPR priorities. The good news is that progress on personal data management will most likely be well received within your customer base–and those who offer better services are more likely to win the trust, and hence loyalty, of many Europeans. Gigya drew strong correlations with Facebook’s increased capabilities in privacy management, and its growth in active users and income since the controls were made available. As all industries are touched by digital transformation, we need to ensure that individual people can control their data within the context of services offered. Without the ability to control individual’s data–you may be reducing your engaged customer base by two thirds. By providing strong controls and high level of information, two thirds of the population will see you in a more favourable light than your competitors.

Still not convinced about the potential for high citizen engagement?

A lot of people like complaining about government in general, and especially EU bureaucracy. It’s easy to put the GDPR into the ‘too much government’ bucket, and think it is a case of more government officials keeping themselves busy by creating red tape and regulation. If the GDPR is primarily about increased bureaucracy, it would imply the average EU citizen would not be very active in exercising their rights, as is the current thinking in many organizations. But what if the GDPR is a case of the government listening to their citizens and providing them the protection and control that they really desire? I have listed some key points from a Eurobarometer survey in data privacy below. This survey was conducted in 2015–a year before the GDPR was written into law. If these figures hold true, I think within a few short years we will be seeing a population actively engaged in managing all their personal data.

Data protection Eurobarometer Factsheet 2015

  • Two-thirds of respondents (67%) are concerned about not having complete control over the information they provide online.
  • Over half of respondents disagree with the statement, “providing personal information is not a big issue for you” (57%).
  • A majority of people are uncomfortable about Internet companies using information about their online activity to tailor advertisements.
  • Two-thirds of respondents think it is important to be able to transfer personal information from an old service provider to a new one.
  • 32% think using of data without their knowledge is a big risk (right behind victim of fraud– 50% or identity used for fraud– 40%)
  • 69% of people say that their explicit approval should be required in all cases before their data is collected and processed.
  • Almost all Europeans say they would want to be informed should their data ever be lost or stolen.
  • Nine out of ten Europeans think that it is important for them to have the same rights and protection over their personal information, regardless of the country in which the public authority or private company offering the service is based.


[i] There are already strong movements in Europe around health data sharing and management, as well as a number of organizations positioning themselves to help manage personal data.

[ii] There are already strong movements in Europe around health data sharing and management, as well as a number of organizations positioning themselves to help manage personal data.

[iii] 2016 Eurostat figures