UK Business Data Survey 2022

Question 1

Summary

Accepted Answer

There has been much work in recent years to improve our understanding of what data is used for, its value and the importance of being able to move data around, both domestically and internationally. This survey, now in its second year, is intended to continue to help the government develop its evidence base in this regard. It is accompanied by data tables containing almost all questions (subject to sample sizes) broken down by business size, sector and UK region (ITL 1).

Key findings

general patterns of digital data use remain similar to the results from the 2021 survey with 85% of all businesses surveyed said they handle digital data and almost all businesses with 10 or more employees doing so

Data acquisition and sharing:

among businesses that handle digitised data (other than employee data) 17% report sharing data outside of their organisation
31% acquire or collect data from other businesses or organisations
the three most common recipients of data sharing by businesses were as follows: 66% of businesses that share data said they share data with other businesses, 39% said employees, customers or other individuals, and 34% said public bodies; respondents could select more than one option

Data foundations and skills:

One of the four pillars of the government’s National Data Strategy is ‘data foundations’ - ensuring data of sufficient quality, consistent, accessible, properly documented, easily usable, interoperable, secure, timely and up-to-date:

at least 79% of businesses agreed their data had each of those individual characteristics with the exception that only 26% of businesses agreed their data was interoperable
businesses’ confidence in their data foundations is mirrored by the perceived sufficiency of data skills available to address businesses’ needs, with 82% of businesses that use digital data agreeing they have such data skills

Data infrastructure:

83% of businesses that use digital data use standalone devices to store and process their data, 34% reported use of cloud providers, 14% of businesses said they used servers owned by their own business; respondents could select more than one option
45% of businesses with servers said that they had servers located in the UK, 11% had servers in the EU or EEA; respondents could select more than one option
20% said their servers were not in a specific location, or the location of their servers was not specified
24% of respondents didn’t know where their servers were located
43% of businesses that use servers owned by them in a rented space said these servers were essential to the core function of their business model
41% of businesses that use servers of an outsourced IT provider or cloud provider said these servers were essential to the core function of their business model

UK data protection law:

65% of businesses that handle digital personal or employee data agree they have processes in place to deal with data protection complaints and 14% disagree (16% gave a neutral response, 5% don’t know)
61% agree that UK data protection law strikes the right balance between enabling responsible use of data and protecting individuals rights and 12% disagree (20% gave a neutral response, 6% don’t know)
47% find the regulatory guidance published by the Information Commissioner’s Office (ICO) clear and easy to understand and 18% disagree (25% gave a neutral response, 9% don’t know)
58% of businesses that use digital data have heard of the ICO and know what it is, 19% have heard of it, but don’t know what it is
9% of businesses handling personal or employee data report acquiring personal data (equivalent to 6% of all UK businesses) through the use of cookies or similar technologies, but for large businesses that handle digital personal or employee data it is 28%

International data use:

16% of businesses that use digital data transfer data overseas (13% of all businesses), with 41% of large businesses reporting this
the main regions businesses transfer data with are Europe (79% of businesses that transfer data internationally) and North America (59%); respondents could select more than one option
the two main purposes businesses transfer data overseas are for the delivery and/or receipt of goods, products, or services (65% of those transferring data internationally), and for the purpose of communications (48% of those transferring data internationally); respondents could select more than one option
a small percentage of businesses that transfer data overseas said they have been prevented from sharing data due to barriers regarding the transfer of data: 7% of businesses that handle personal data and transfer data internationally and 6% of businesses that handle non-personal data (other than employee data) and transfer data internationally
among businesses sending personal data outside of the UK, 31% report using Standard Contractual Clauses and 22% report using Adequacy as legal transfer mechanisms; respondents could select more than one option
37% of businesses that use Standard Contractual Clauses said they find them easy to use, and 15% said they found them difficult to use

Question 2

Introduction

Accepted Answer

Code of practice for statistics

The UK Business Data Survey (UKBDS) is an official statistic and has been produced to the standards set out in the Code of Practice for Statistics.

Background

The Department for Digital, Culture, Media and Sport (DCMS) commissioned the UK Business Data Survey to help the department understand the significance of data to industry, what it is used for and how it drives the economy. It also seeks to develop the evidence base around the international flow of data and difficulties encountered, as well the understanding amongst industry of the relevant regulatory framework. This second survey was carried out by Ipsos. It covers:

use of digitised data
data infrastructure, skills, and availability
awareness and attitudes towards data protection and the ICO
international transfer of data
differences by size, sector and region

Respondents from 5,084 businesses took part in this survey between 22 November 2021 and 11 February 2022. Interviews were conducted either via computer assisted telephone interview (CATI) or online. This represents a change in methodology since the previous survey, and as such, caution should be taken when making comparisons between survey years.

Weighting by industry sector and number of employees was applied to the data to ensure that the results reflect the UK business population.

All numbers reported are estimates and there is a margin of error associated with them. Differences between numbers are only highlighted in the report when they are statistically significant (at the 95% confidence level).

In addition, 32 in depth qualitative interviews were conducted with businesses that use digital data to gain further insight into their use and views around data use. Themes from these interviews are presented alongside the statistics in this report. As with any qualitative findings, however, these themes are not intended to be statistically representative.

Question 3

Chapter 1: General data use

Accepted Answer

All businesses were asked whether they collect digitised data in any form, in order to understand how widespread digitised data use is among UK businesses. A distinction was also made between whether they handle data from their employees, other forms of personal data and other forms of non-personal data. Each question in the report will specify which subgroup of businesses were asked each question.

Those who only handled non-digitised data, or who did not handle any data are included in section 1.1, but are not included in further measures in this report from section 1.2 onwards.

1.1 Use of any digital data

The majority of UK businesses handle digitised data, with an estimated 85% of businesses reporting this in 2022.

Figure 1: Percentage of businesses handling digitised data

Base: 5086 UK businesses for percentage of businesses handling digitised data other than employee data

1.1.1 Use of personal data

Overall, 63% of businesses said they use digitised personal data, other than data on their employees. This ranges from 63% for sole traders and 62% for micro businesses, to 92% for large businesses.

Businesses in the Finance and Insurance (88%), and Education (76%) sectors are more likely to utilise personal data than those in several other sectors.

Figure 2: Percentage of businesses handling digitised personal data (other than on employees), by sector

Base: 5086 UK businesses

1.1.2 Use of non-personal data

There are some variations with business size and sector for business’ handling of digitised non-personal data (other than on employees):

large, medium, and small businesses are more likely to handle non-personal data (81%, 73% and 63% respectively) than sole traders and micro businesses (52% and 51% respectively).
businesses in the Information and Communication (67%), and Professional, Scientific, Technical (64%) sectors are more likely to handle non-personal data than those in many other sectors.

1.1.3 Use of employee data

Overall, 75% of businesses (excluding sole traders) keep digital data on their employees. This includes 71% of micro businesses, compared to 94%, 97%, and 100% of small, medium, and large businesses respectively.

Qualitative findings: types of data collected and reasons for data use

During the qualitative interviews, a small number of businesses that use digitised data were asked for more details about the type of data they use and how they use it. The types of data collected can be categorised into the following themes:

data about individuals who support the delivery of the business operations, including data about employees, donors, volunteers or freelance workers
information about firms’ customers and service users, including information about students, those accessing letting agents, hotel guests, and visitors to a historical attraction
sensitive data about individuals, including health data and special category data
financial data, including funding data, financial information about individuals, staff payroll details and customer payment details
data that supports the delivery or running of the business, including bookings, commercial data, training records and data about suppliers
non-personal data, including property details, scientific data about measurements and data about appliances
information about other businesses
business performance data, including event attendee numbers and data collected through feedback forms

While some businesses only described collecting one or two of these data types, some businesses described themselves as collecting a complex range of data, and many described collecting several of these data themes.

When these businesses were asked how they use or collect data, the following themes were found:

to deliver their core business model, including to manage bookings, for business operations, selling data as part of the business model, to award qualifications, to manage deliveries and to operate as a market research company
compliance and reporting purposes. including as part of the NHS ‘test and trace’ system, tax purposes, reporting required by external organisations or to complete Disclosure and Barring Service (DBS) checks
sales and marketing purposes, including emailing special offers or for market research
communication, including with customers, clients or other businesses
to provide support, including support to individuals, to ensure students receive support needed, and signposting to services
to monitor business performance, including monitoring student attendance and through analysis of product data
business administrative purposes, including for accounting and to pay staff

1.2.1 Acquiring data from other businesses and organisations

An estimated 31% of businesses that use digitised data (other than employee data) report acquiring or collecting data from other businesses or organisations. This ranges from 29% of sole traders to 53% of large businesses (see [figure 3]{#fig3} below). There is some limited variation across sectors with businesses in the Professional, Scientific, Technical sector (48%) more likely to acquire data in this way than those in many other sectors.

Figure 3: Percentage of businesses acquiring or collecting data from other businesses or organisations, by business size

Base: 4204 UK businesses that use digitised data (other than employee data)

When personal and non-personal data are considered separately, we find:

20% of businesses that use digitised data (other than employee data) acquire or collect personal data from other businesses or organisations
this ranges from 19% of sole traders to 41% of large businesses (see figure 3 above)
businesses in the Finance and Insurance (35%), Professional, Scientific, Technical (33%), and Administrative and Support Service (28%) sectors are more likely than those in many sectors to acquire personal data from other businesses or organisations
26% of businesses that use digitised data (other than employee data) acquire or collect non-personal data from other businesses or organisations
this ranges from 24% of sole traders to 44% of large businesses (see figure 3 above)
businesses in the Professional, Scientific, Technical sector (41%) are more likely to acquire non-personal data from other businesses or organisations than those in some other sectors

Approximately 17% of businesses that said they used digitised data (not counting employee data) report sharing any data outside of their organisation (whether that data is personal or non-personal). This ranges from 16% of sole traders to 48% of large businesses.

The results are broadly similar when personal or non-personal data is considered specifically: 13% of businesses handling digital data (other than employee data) said they share personal data (rising to 45% of large businesses) and 13% share non-personal data (rising to 34% of large businesses). Note, the difference between the percentage of large businesses that share personal data and non-personal data is not statistically significant.

Within each category of business size, rates of sharing personal data compared with non-personal data were similar.

Base: 4204 UK businesses that said they use digitised data (other than employee data)

The following variations across sectors were found for sharing data (whether personal or non-personal):

businesses in the Finance and Insurance sector (42%) are more likely to say they share data outside their organisation compared with businesses in most other sectors
businesses in the Professional, Scientific, and Technical sector (25%) are also more likely to share data than businesses in some other sectors

Qualitative findings: data sharing

During the qualitative interviews, a small number of businesses were asked for more details about data sharing, which can be grouped into the following themes.

Reasons for sharing data:

legal or statutory purposes, including sharing information with government departments, public authorities, exam boards and responding to subject access requests
to deliver the business model or service, including sharing data about pupils, managing hotel bookings through a third party, sharing training course materials, managing appointments, sharing property details and managing an outsourced delivery company
for reporting purposes, including passing on customer complaints, sharing data with accountancy firms and reporting carbon emission target data
administrative purposes, including to manage payroll, pensions and sharing data with an external human resources system
for fundraising or funding purposes
to meet contractual obligations
data sharing data is a core part of the service the business provides, including providing data to customers, providing information to clients and where selling data is part of the business model

Benefits of data sharing:

data sharing provides financial benefits
improves the service the business provides to clients
allows the receiving business to grow or innovate
allows the business to provide wider social benefits
enables the organisation to monitor their own performance

Whether business would like to share more data or start sharing data:

sharing more data could provide financial benefits
better access to data from outside the organisation or more data sharing could lead to efficiencies and better service delivery

Others, however, said:

the business already shares enough data and wouldn’t benefit from sharing more data
the business doesn’t see the benefits of sharing more data without the capacity to analyse that data
there is a lack of business need to start sharing data

This year businesses were asked about who they share data with:

66% of businesses that share data share it with other businesses
39% of businesses share data with employees, customers or other individuals
34% share data with public bodies
see figure 6 below for a Venn diagram of the overlap between these three most reported recipients
15% share data with charities or non-profit organisations
12% share data with branches of their own business or corporate group

Base: 942 UK businesses that said they use digitised data (other than employee data) and that said they share digitised data

Many businesses send data to more than one recipient and there are substantial overlaps of businesses sharing to different recipients. For instance, 12% of businesses that share data do so with other businesses, individuals, and public bodies, whilst 8% share data with other businesses and public bodies, but not individuals. See figure 6 for a comparison of the relative overlap between the three main recipients of data sharing by businesses.

Figure 6: The relative overlap of the three main recipients of data sharing

Base: 942 UK businesses that said they use digitised data (other than employee data) and that said they share digitised data

The following size and sector differences were found for each data sharing recipient group.

For sharing with other businesses:

there is no statistically significant variation across business size as to whether businesses that share data, share it with other businesses

For sharing with other branches of your business or corporate group:

large and medium sized businesses that share data (52% and 35% respectively) are more likely to share data with this group than sole traders, or micro businesses (9% and 13% respectively)
the above is unsurprising as it could be expected that larger businesses would be more likely to have other branches or be part of a corporate group

For sharing with employees, customers or other individuals:

there is no evidence for variation with business size for whether a business that shares data, shares with employees, customers or other individuals

For sharing with public bodies:

the likelihood of sharing data with public bodies shows variation depending on business size similar to that found with businesses sharing to other branches or corporate groups
businesses with 10 or more employees that share data are more likely to share data with this group than businesses with 9 or fewer employees

For sharing with charities or non-profit organisations:

large businesses that share data (36%) are more likely to share data with this group than sole traders, micro or small businesses (15%, 15%, and 13% respectively)

Qualitative findings: challenges to data sharing

During the qualitative interviews, a small number of businesses were asked about barriers or challenges to data sharing. This includes challenges faced by businesses that share data, and among businesses that don’t share data, the barriers preventing them from doing so. The following themes were found:

concerns about the risks of data sharing, including risks around data protection compliance, risk of data breaches, data security risks, the data handling practices of data recipients or business reputational risks
skills or knowledge of data protection rules relating to data sharing
resource intensive, including in staffing, in setting up data sharing agreements, in managing large data sets or in upgrading technology
issues with standardisation including challenges with using different data systems, and with online access permissions varying between companies
ensuring compliance with international data sharing rules

1.2.2.1 Privacy enhancing technologies and data intermediaries

Privacy enhancing technologies (PETs) technologies are designed to enable data to be analysed without sensitive information being released, protecting privacy or confidentiality. PETs range from traditional forms of encryption, to emerging technologies (see the Centre for Data Ethics and Innovation guide to What are PETs? for more information).

Data intermediaries cover a range of different activities and governance models for organisations that act between a data originator and data user to facilitate greater access to or sharing of data (see the Centre of Data Ethics and Innovation report on Unlocking the value of data: Exploring the role of data intermediaries for more information).

Businesses that either send or receive data from outside their organisation were asked if they use additional privacy enhancing technologies or data intermediaries when sending or receiving sensitive data:

27% said they use PETs
15% said they use a third party or intermediary
21% said the question was not applicable because the data they transfer is not sensitive
40% said they use none of these

Note that respondents could respond with that they use both PETs and third parties or intermediaries.

Base: 1874 UK businesses that said they use digitised data (other than employee data) and that said they acquire or collect data, or share data with other businesses or organisations

The following differences were found in breakdowns of business size and sector.

For use of PETs:

large (63%) and medium (57%) businesses that send or receive data were more likely to use PETs when doing so than sole traders (23%), micro (33%) and small (42%) businesses
businesses that send or receive data in the Finance and Insurance (48%), Human, Health and Social Work (40%), Information and Communication (35%), and Professional, Scientific, Technical (31%) sectors were more likely to utilise PETs than those in the Construction sector (14%)

For use of a third party or intermediary:

sole traders were less likely to say they use a third party or intermediary (13%) than larger businesses (see figure 8 below)
businesses in the Professional, Scientific, Technical sector (19%) are more likely to say they use a third party or intermediary than those in the Wholesale and Retail, Repair of Motor Vehicles sector (7%)

Base: 1874 UK businesses that said they use digitised data (other than employee data) and that said they acquire or collect data, or share data with other businesses or organisations

Sole traders are more likely than businesses with 50 or more employees to say they don’t use PETs, third parties, or intermediaries and more likely to say these are not applicable than businesses with 10 or more employees to their data transfers. This is consistent with the pattern of whether or not they process sensitive personal data, reported in section 1.6.2.2 later in the report.

Qualitative findings: how businesses share data

During the qualitative interview, a small number of businesses that share data were asked about the systems used to share data (not necessarily sensitive or personal data). The responses can be grouped into the following themes:

online portal or data sharing software, including a file transfer site, outsourced HR systems or online forms
using file transfer protocols or privacy enhancing technologies
through cloud providers
data shared through emails
different systems are used in different circumstances
businesses ensure data sharing agreements are in place when sharing data

In addition, businesses were asked if they either charge a fee to provide data, or if they pay to receive data. The themes included:

data sharing for a fee, including businesses selling data as part of their business model and data is shared as part of a wider contractual agreement
no fees involved, including sharing free of charge, the business doesn’t buy data and the business has a policy not to buy or sell data

1.3 Data foundations

One of the four pillars of the government’s National Data Strategy is ‘data foundations’ - ensuring data is fit for purpose. In order to assess these data foundations amongst businesses, respondents were asked a series of questions about the data they hold in terms of its quality and accessibility. The definitions of these data characteristics can be found in the supporting information at the end of this report. More information about the background of the development of the questions used to measure ‘data foundations’ here can be found in a report conducted on behalf of DCMS by Ernst & Young from July 2021 titled Data foundations and AI adoption in the UK private and third sectors.

The majority of businesses agreed (either strongly agreed or tended to agree) that data in their business was of sufficient quality for their business’ needs, consistent, accessible, properly documented, easily usable, secure, timely or up-to-date, (at least 79% agreeing in each category, with at least 51% strongly agreeing in each category). In contrast only 26% of businesses agreed that their data was interoperable (can be easily combined with other datasets and used across different systems).

Figure 9: Businesses assessment of their data

Base: 2316 UK businesses that said they use any form of digitised data; some data are suppressed due to small numbers, which is why not all categories sum to 100%.

There is no statistically significant variation across business size found for the categories: of sufficient quality for your business’ needs; consistent; accessible; or easily usable; secure; timely or up-to-date. There is some variation with business size seen for whether businesses said their data is interoperable.

Figure 10: Businesses that agreed (strongly or tended to agree) that their data is interoperable, by business size

Base: 2316 UK businesses that said they use any form of digitised data

Qualitative findings: barriers or challenges to increasing digital data use

During the qualitative interviews, a small number of businesses were asked what is stopping them from using data more. Businesses gave a range of responses, which can be summarised into the following themes.

A lack of resources, skills or confidence in using digital data, including:

resourcing challenges, including recruitment issues, concerns about costs or a lack of time to do more with data
business already has a lot of data, but there are challenges in utilising, processing or analysing this data
a lack of confidence or desire to increase use digitised data systems

Concerns linked to the data rules, including:

changing some aspects of personal data use following the introduction of GDPR and DPA 2018, including reducing data use for marketing and risk of subject access requests limiting the data that’s collected (further information about views regarding the data protection legislation can be found in chapter 2)
challenges in gaining consent from data subjects to collect personal data
concerns about data security risks

Challenges relating to international data use, including:

barriers relating to international data sharing rules
a perception that the UK exiting the European Union has affected their international data use (further details about international data use and barriers can be found in chapter 3)

A lack of need or desire to push for more data use, including:

a lack of push from senior level to increase or invest in digital data use
a perceived lack of business need to use data more or that they currently use data as much as they need to

1.4 Data skills

Another pillar of the government’s National Data Strategy is data related skills. Businesses were asked whether they had sufficient data skills in their organisations to meet their needs:

82% of businesses agreed (either strongly agreed or tended to agree) their business has sufficient data skills to meet its needs
there was no statistically significant variation between business size or sector in response to this question

The lack of variation with business size is not necessarily surprising. Large businesses might be expected to have more resources to train staff and also have the capacity for greater numbers of specialist staff, than smaller businesses, but the question asks whether respondents felt their staff had sufficient data skills to meet the business’ need. For instance, a large company specialising in artificial intelligence will need more ‘data skills’ than the small café, but both could be equally meeting their business needs in this regard.

Note that a separate question relating to the training of existing staff with regards data protection is explored in chapter 2 on UK data protection law.

Figure 11: Business’ opinion of their data skills meeting their needs, by business size

Base: 2316 UK businesses that said they use any form of digitised data; some data are suppressed due to small numbers, which is why not all categories sum to 100%.

1.5 Data availability

Another pillar of the government’s National Data Strategy is data availability. Businesses were asked to assess whether they felt data from outside of their organisation had become more available in the last three years, and for those who thought it had, the benefits of this increased availability are explored:

37% of businesses that handle digitised data thought that data from outside their businesses had become a great deal or a fair amount more readily available to their business in the last three years
47% thought that data had not become more readily available (either not very much or not at all more) within the last three years
15% of respondents were not sure either way
small and medium businesses (49% and 55% respectively) were more likely to say data had become more available in the last three years (either a great deal or a fair amount) than sole traders (35%)
sole traders (22%) were more likely to say data has not become at all more readily available in the last three years than small and medium businesses (13 and 10% respectively)

Figure 12: Business’ opinion whether data has become more readily available in the last three years, by business size

Base: 2309 UK businesses that said they use any form of digitised data; some data are suppressed due to small numbers, which is why not all categories sum to 100%.

Businesses that said data had become more readily available in the last three years were also asked to comment on whether this increased availability had led their businesses to perform the same functions more efficiently or innovate and perform new functions:

56% of these businesses thought that this increased availability of data had led their business to perform the same functions more efficiently
43% of these businesses said that this increased availability had led their business to innovate and perform new functions

Figure 13: Business’ opinion whether increased availability of data in the last three years has led their business to perform the same functions more efficiently, and whether it has led them to innovate and perform new functions

Base: 979 UK businesses that said they use any form of digitised data and said that data has become more readily available; data for “Prefer not to say” are suppressed due to small numbers, which is why not all categories sum to 100%.

Examining the results by size of business:

an estimated 72% of large and 69% of medium businesses agree (either strongly or tend to agree) that increased availability of data in the last three years has led them to innovate and perform new functions, this is compared to an estimated 40% of sole traders who said the same

This suggests that larger businesses have more capacity to make more use of data. This is corroborated by results from questions in the 2021 survey, where businesses were asked about whether they use data to generate insights or knowledge and whether they had hired staff either to lead on internal research and development or to use data to improve marketing or sales performance. Large businesses were more likely than smaller businesses to use data to generate insights or knowledge. Large businesses were also more likely than micro businesses to hire staff either to lead on internal research and development or to use data to improve marketing or sales performance.

The sample size answering this question is not sufficient to provide further breakdowns by business demographics.

Qualitative findings: expected changes in data use over the next five years

In the qualitative interviews, a small number of businesses were asked how they expected data use to change in the next five years, and businesses gave a range of views which can be grouped into the following themes.

Changes to digital data systems, including:

introducing new technologies or data systems have the potential to drive efficiencies in data use of collection
moving from paper data systems to digital systems either has affected, or will affect the way business handles data

Expecting changes in the levels of data use over time, including:

expecting the amount of data to increase, that different types of data may need to be collected or that the business will do more data analysis
expecting changes in levels of data collected to be linked with the growth of the business
changes in future data use will be driven by external factors, such as competitors use of data or changes in customer base
business plans to or would like to improve data use and analysis to improve service provision

Potential future challenges, including:

changes in the types of data collected in future to raise new challenges in data analysis
a perception that cyber security should be a greater focus in the future
concerns that potential changes to the data protection legislation could increase workload for their business

A perception that data use is likely to stay the same over the next five years, including:

being happy with the current level of data use within the business
suggesting it may useful to have access to certain types of data they don’t currently have access to

1.6 Data infrastructure, responsibility and security

Mission 4 of the government’s National Data Strategy is to ensure the security and resilience of the infrastructure on which data relies. This section of the report explores these topics in relation to businesses. Statistics relating to cyber and data security can also be found in the DCMS Cyber security breaches survey and Cyber security longitudinal survey.

1.6.1 Data infrastructure

Businesses were asked about the data infrastructure they used. For instance: standalone devices, servers, outsourced IT services providers, cloud services providers. The following was found:

83% of businesses that handle digitised data use standalone devices to store and process their data
19% said they use public cloud providers
15% said they use private cloud providers
14% said they use servers owned by their own business (whether in their offices or another location owned by the business)
4% said they use servers owned by them in a rented space in a data centre
7% said they use servers of an outsourced IT services provider

Figure 14: Data infrastructure used by businesses

Base: 2305 UK businesses that said they use any form of digitised data

Many businesses use multiple methods of storing data as part of their data infrastructure. For instance:

24% of businesses use both standalone devices and cloud providers (whether public or private)
16% of businesses use some form of server or outsourced IT provider as well as standalone devices
7% of businesses use standalone devices, cloud providers and some form of server
49% of businesses use only standalone devices

See figure 15 below for a comparison of the relative overlap between the different types of data infrastructure. Note that in this figure cloud providers have been combined into a single category, as have all forms of servers including outsourced IT service providers.

Figure 15: The relative overlap of data infrastructure used by businesses

Base: 2305 UK businesses that said they use any form of digitised data

Considering the results by business size for each of the categories, the following is found.

For standalone devices:

there is no statistically significant variation of use of standalone devices with business size and most businesses that use some form of server or cloud provider also use standalone devices

For servers owned by businesses in their own offices or data centres:

large and medium sized businesses (72% and 63% respectively) were more likely than smaller businesses (ranging 10% of sole traders to 44% of small businesses) to use servers in their own buildings or data centres

For servers owned by businesses in a rented space in a data centre:

businesses with 10 or more employees (ranging from 11% of small businesses to 15% of large businesses) were more likely to use servers owned by them in a rented space than sole traders (4%)

For servers of an outsourced IT services provider:

small, medium, and large businesses (16%, 21%, and 28% respectively) were more likely than sole traders and micro businesses (5% and 7% respectively) to use servers of an outsource IT services provider

For public cloud providers:

medium and large businesses (33% and 42% respectively) were more likely than sole traders and micro businesses (both 19%) to use public cloud providers

For private cloud providers:

large businesses (36%) were more likely than sole traders and micro businesses (both 15%) to use a private cloud provider

The qualitative findings give more details about the type of data storage used and the reasons for choosing either internal or external data storage methods.

Qualitative findings: types of data storage used

During the qualitative interviews, a small number of businesses were asked about the type of data storage they used. The storage methods used can be grouped into the following themes:

internal servers, including cloud with server on site and network-attached storage drives
paper-based data, including paper files kept in a safe and keeping hard copies of digital data
externally hosted services, including external cloud services, email services, external servers, a client portal, data backup services, industry specific software and disaster recovery sites
physical devices, including laptops, computer, tablets and mobile phones
external physical storage devices, such as a USB memory stick
business uses multiple data storage methods, including a mix of internal and external storage, using multiple hard drives, hosting servers on multiple sites, using different systems for different data, preferring a ‘hybrid’ system and using more than one data centre

1.6.1.1 Server locations

Businesses that said they used servers that were not in buildings owned by them (that is servers in rented spaces, outsourced IT services, and cloud providers) were asked where those servers were located. In particular whether they were in the UK, the EU or EEA, or outside of these countries. Businesses were able to select multiple locations if applicable. Of businesses that store data away from their own premises:

45% have servers located in the UK
11% have servers in the EU or EEA
5% have servers outside the EU or EEA in countries that are deemed adequate by the UK (at the time of the fieldwork)
1% have servers outside the EU in countries that are not deemed adequate by the UK
20% said their servers were not in a specific location, or the location of their servers was not specified (contracts with providers of servers are not required to specify the location of said servers)
24% of respondents didn’t know where their servers were located
45%^{[footnote 1]} of respondents, therefore, were not able to say where their servers were located, whether that was because the location was not specified, or they didn’t know

While many well known cloud providers are based in non-adequate countries, such as the USA, these companies also have EU and UK based servers.

Figure 16: Locations of servers used by businesses

Base: 987 UK businesses that said they use any form of digitised data, and that they also store away from their premises

Sole traders with servers (23%) were more likely than medium businesses (8%) to say their servers had no specified location.There was no variation with business size for whether businesses specified locations outside the UK (whether in the EU or EEA or not) or whether respondents did not know where their servers were located.

1.6.1.2 Dependency on servers

As part of exploring data infrastructure resilience, businesses who use servers were asked how dependent their businesses were on those servers.

Businesses that use servers owned by them in a rented space were asked separately about this than businesses who use services outsourced to IT providers or cloud services (businesses who use both types of servers would be asked both questions). The results suggest dependency on both types of servers are similar.

For servers owned by businesses in a rented space:

43% of businesses that used servers owned by them in a rented space said these are essential to the core function of their business’ model
11% said these servers are essential for important secondary functions within their business
27% said these servers are useful but not necessary for their business (the broad confidence limits mean there is no statistically significant difference between this result and that for businesses that said these servers were essential)
14% said that they are not very important

For outsourced servers or cloud-based servers:

41% of businesses that used outsourced servers or cloud-based servers said these are essential to the core function of their business’ model
20% said these servers are essential for important secondary functions within their business
31% said these servers are useful but not necessary for their business
7% said that they are not very important

Figure 17: Businesses’ dependency on servers

Base: Company servers in rented space: 162 UK businesses that said they use any form of digitised data, and that they also store away from their premises in a rented space
Base: Outsourced or cloud servers: 931 UK businesses that said they use any form of digitised data, and that they also store their data with some form of external provider

Qualitative findings: reasons for selecting data storage methods

During the qualitative interviews, a small number of businesses were asked for their reasons for using internal or external storage systems. Themes for those who store data externally were:

external storage is viewed as safe, includes viewing them as secure, easier to manage access than internal data storage and better at protecting against physical risks to data
external storage is cost effective, accessible and easy to use, for example by not requiring internal knowledge to maintain the servers, being able to access data remotely and can hold more data
the systems used by the business holds data externally, such as email servers or software packages with cloud storage provided
for backup purposes, including against physical risks such as flooding

Themes were similar for business’ reasons for storing data internally:

internal data storage was preferable to external storage, including considering internal storage to be safer than external storage, considering them to be secure, and that it is more cost effective for the business than external systems
to keep data within their own business so no one else can access it and to ensure they have control of it
to back up data, including backing up data stored externally, or using internal servers for backing up data
cloud systems aren’t suitable for their business needs, including being incompatible with software they use or not providing enough storage

The sample size answering about rented space for their own servers is not sufficient to provide breakdowns by business demographics.

The following differences across business size and sector were found amongst businesses that store data with outsourced servers or cloud-based servers:

businesses with 50 or more employees were more likely to say their outsourced or cloud servers were essential to the core functions of their business’ model than sole traders
sole traders were more likely than micro, small or medium to say they are useful but not necessary

Figure 18: Businesses’ dependency on outsourced or cloud servers, by business size

Base: 931 UK businesses that said they use any form of digitised data, and that they also store their data with some form of external provider; some data are suppressed due to small numbers, which is why not all categories sum to 100%.

1.6.2 Handling personal and sensitive data

Businesses were asked about the types of sensitive personal and non-personal data they handle and about the number of people they hold personal data on.

1.6.2.1 Numbers of people businesses hold personal data on

Businesses that process personal data (either of employees or others) were asked how many people they hold personal data on:

48% of businesses handle personal data on fewer than 100 people
35% said they handle personal data on 100 to 999 people
14% of businesses said this number was between 1000 and 99,999 people
fewer than 1% selected any higher numbers

There were differences to the answer to this question depending on business size:

16% of large businesses reported handling personal data for 100,000 or more people, compared to 3% of medium businesses (the data for smaller businesses is suppressed due to small sample sizes)
sole traders, micro, and small businesses are more likely to handle data on 100 or fewer people compared to medium businesses (with results of large businesses being suppressed due to low number of respondents)
the above results are expected given that businesses that have 50 or more (medium) or 250 or more (large) employees wouldn’t be expected to hold data on fewer than 50 (or 250) people
the breakdown by business size for businesses handling personal data on one million or more people are suppressed due to small numbers to avoid disclosure

Figure 19: The number of people businesses hold personal data on, by business size

Base: 2063 UK businesses that said they process personal data (either of employees or others); some results are suppressed due to small numbers.

1.6.2.2 Processing of sensitive personal data

Businesses that handle digitised personal data or employee data were asked if they collect certain types of data that are considered sensitive (for example, data on children, health or criminal records):

11% handle children and young people’s data (personal data for under 18s)
9% handle data classified as special category (for example, data revealing information on health, racial or ethnic origin, and political opinions)
6% handle criminal convictions and offences data
13% said they handle other types of sensitive data
68% said they did not handle any of these types of sensitive data

Figure 20: Types of sensitive personal data processed by businesses, by business size

Base: 2063 UK businesses that said they process personal data (either of employees or others)

The following variations with size of business were found.

For processing personal data relating to children and young people:

large, medium, and small businesses were more likely than micro businesses or sole traders to process personal data relating to children and young people

For processing special category data:

large and medium businesses were more likely to process this data than smaller businesses

For processing personal data relating to criminal convictions and offences:

large, medium, and small businesses were more likely than micro businesses or sole traders to process personal data relating to criminal convictions and offences

The sample size answering this question is not sufficient to provide further breakdowns by business demographics.

1.6.2.3 Processing of sensitive non-personal data

Businesses that handle digitised data were asked if they collected any sensitive types of non-personal data such as operational data, intellectual property, commercially sensitive data, or anonymised data about individuals:

30% said they collected operational data, the most common type of sensitive non-personal data collected by businesses
commercially sensitive, intellectual property and anonymised data about individuals were reported in roughly equal measure (10-15%), with the percentage of businesses collecting commercially sensitive data being greater than those collecting data relating to intellectual property
51% said they did not collect any of these types of sensitive non-personal data

Figure 21: Types of sensitive non-personal data processed by businesses, by business size

Base: 2331 UK businesses that said they use any form of digitised data

The following variations with size of business were found.

For operational data:

businesses with 10 or more employees were more likely to report handling operational data than sole traders and micro businesses (see figure 21 above)

For intellectual property:

medium sized businesses were more likely to report handling intellectual property data than micro businesses

For commercially sensitive data:

medium and large businesses were more likely to report handling commercially sensitive data than sole traders and micro businesses

For anonymised data about individuals:

medium and large businesses were more likely to report handling anonymised data about individuals than sole traders and micro businesses

The sample size answering this question is not sufficient to provide further breakdowns by business demographics.

1.6.2.4 Precautions for handling sensitive data

Businesses that handle sensitive data (whether personal or non-personal) were asked which extra precautions they put in place around the storage, processing, or movement of data classified as especially sensitive. Methods suggested to respondents included:

technical measures (including encryption, network security and anonymisation)
specific storage, processing and/or data movement requirements
administrative and user access controls
contractual or legal limitations on data sharing

Among businesses that handle sensitive data:

63% of businesses use administrative and user access controls
48% use technical measures
27% use specific data storage, processing or moving requirements
30% use contractual or legal limitations
17% said they don’t use any of these extra protections

See qualitative findings box on precautions for handling sensitive data box for more detail about methods used for storing sensitive data.

Figure 22: Extra precautions used by businesses handling sensitive data, by business size

Base: 1468 UK businesses that said they collect sensitive data (whether personal or non-personal); some results are suppressed due to small numbers.

The following variations with business size were found (see figure 22 above).

For technical measures, specific requirements (whether for storage, processing and/or data movement), and contractual or legal limitations on data sharing:

businesses with 10 or more employees were more likely to use this than sole traders and micro businesses

For administrative and user access controls:

medium and large businesses (88% and 89% respectively) were more likely to use this than sole traders and micro businesses (59% and 69% respectively)
small businesses (77%) were more likely to use this than sole traders (but not micro businesses)

Qualitative findings: precautions for handling sensitive data

During the qualitative interviews, a small number of businesses that handle sensitive data were asked about extra precautions they put in place for this data. The following themes were found:

minimising the amount of sensitive data held or collected, including, deleting data that’s no longer needed and avoiding recording certain types of data
limiting who has access to the sensitive data, including monitoring who can access the data or requiring consent from the data subject before sharing the data
limiting where data is stored, including keeping sensitive data internally only, keeping it all in one place and limiting the number of systems holding sensitive data
using secure emails
putting in place contracts such as an end-user licence agreement
tools to protect data, including encryption and passwords
extra protection for paper data, including shredding files when no longer needed, keeping files locked away and using recorded delivery if sending paper files
handling this data the same way as they handle any other data, including treating all data as though it were sensitive data and treating all data storage systems as though they could contain sensitive data

Question 4

Chapter 2: Data protection law

Accepted Answer

The Data Protection Act 2018 (DPA) sets out the framework for data protection law in the UK. It updates and replaces the Data Protection Act 1998, and came into effect on 25 May 2018. It was amended on 1 January 2021 by regulations under the European Union (Withdrawal) Act 2018, to reflect the UK’s status outside the EU.

It sits alongside and supplements the UK GDPR - for example by providing exemptions. The UK GDPR came into effect on 1 January 2021. It sets out the key principles, rights and obligations for most processing of personal data in the UK, except for law enforcement and intelligence agencies. It is based on the EU GDPR, which applied in the UK before that date, with some changes to make it work more effectively in a UK context.

The government will take forward a set of reforms on the UK’s data protection laws as part of the UK’s National Data Strategy.

2.1 Perceptions relating to UK data protection law

Businesses that handle digitised personal data were asked their opinion on different questions relating to UK data protection law and complaints. Among these businesses:

65% agreed (either strongly agreed or tended to agree) that they had processes in place to deal with data protection complaints and 14% disagree
61% agreed that UK data protection law strikes the right balance between enabling responsible use of data and protecting individuals’ rights and 12% disagree
47% agreed that the regulatory guidance published by the Information Commissioner’s Office (ICO) is clear and easy to understand and 18% disagree

These results are discussed in greater detail in sections 2.1.1 to 2.1.3 below.

2.1.1 Processing data protection complaints

When considering respondents’ opinions about whether their business has processes in place to deal with data protection complaints from the public, the following variations with business size and sector were found:

businesses with 10 or more employees were more likely to agree that their business had processes in place to deal with data protection complaints from the public than sole traders and micro businesses
businesses that handle digital personal data in the Finance and Insurance sector (88%) are more likely to agree than those in the Professional, Scientific, Technical, Information and Communication, Manufacturing, and Construction sectors (64%, 60%, 56%, and 54% respectively)
businesses in the Human, Health and Social Work sector (80%) are more likely to say the same than the Manufacturing, and Construction sectors

Figure 23: Percentage of businesses that have processes in place to deal with data protection complaints from the public

Base: 4117 UK businesses that said they process personal data (either of employees or others); some data are suppressed due to small numbers, which is why not all categories sum to 100%.

2.1.2 Balance of UK data protection law

When considering respondents’ opinions about whether UK data protection law strikes the right balance between enabling responsible use of data and protecting individuals’ rights, the following variations with business size and sector were found:

businesses with 10 or more employees were more likely to agree that UK data protection law strikes the right balance between enabling responsible use of data and protecting individuals’ rights than sole traders and micro businesses
there was no statistically significant variation across sectors

Figure 24: Percentage of businesses who feel UK data protection law strikes the right balance between enabling responsible use of data and protecting individuals’ rights

Base: 4117 UK businesses that said they process personal data (either of employees or others); some data are suppressed due to small numbers, which is why not all categories sum to 100%.

Qualitative findings: views on the data protection legislation

During the qualitative interviews, a small number of businesses were asked their views on how they find complying with the data protection legislation. There were a range of views expressed, which can be grouped into the following themes:

it was more challenging when GDPR and the DPA 2018 was first introduced, including that there was a lot of up front work, such as getting documents and policies in place or that it was stressful at the time, and now the initial upfront work has been completed, compliance is part of the business as usual running of the businesses
compliance is not currently burdensome, including where businesses were already doing these activities prior to the changes in legislation, that they find it easy or straightforward to comply, that they collect little personal data, that the rules are working well for them and not thinking they have much data that falls under GDPR
currently find compliance challenging, including adding to existing workloads and feeling there should be greater freedom on the use of publicly available data
compliance is challenging for certain businesses, including small businesses or those who don’t share much data
occasionally compliance can cause minor challenges, including because customers don’t always consent to receive marketing and that it can occasionally be time consuming
the rules are necessary, including considering it to be important to keep data safe, accepting the rules despite them being inconvenient, and considering the laws to be appropriate
views on what compliance means in practice, including believing compliance is about being careful with data and that the business takes a ‘common sense’ approach to data protection

2.1.3 Regulatory guidance published by the ICO

An estimated 47% of respondents from businesses that handle digital personal data agreed (either strongly agreed or tended to agree) that they find the regulatory guidance published by the ICO clear and easy to understand. Whilst 18% disagreed the guidance was clear and easy to understand.

The following variations with business size and sector were found:

businesses with 10 or more employees were more likely to agree with the statement that the guidance published by the ICO is clear and easy to understand than sole traders and micro businesses
the above may be due to these businesses being more likely to employ specialist staff to lead on data protection (as found in the 2021 UK Business Data survey)
businesses in the Professional, Scientific, Technical sector (53%) are more likely to agree (either strongly or tend to agree) that regulatory guidance published by the ICO is clear and easy to understand than those in the Manufacturing sector (36%)
there was no statistically significant variation across sectors for those who disagreed

Figure 25: The extent to which businesses find the regulatory guidance published by the ICO clear and easy to understand

Base: 4117 UK businesses that said they process digitised personal data (either of employees or others); some data are suppressed due to small numbers, which is why not all categories sum to 100%.

2.2 Barriers resulting from unclear guidance to UK data protection law

In our sample, 18% of businesses that handle digitised personal data said they did not find the UK data protection law guidance clear or easy to understand. This subset of businesses were then asked if they had experienced barriers because of this relating to UK data protection law in the last 12 months:

of businesses that didn’t find the guidance clear 41% (7% of businesses that handle digitised personal data) expressed a disproportionate time spent working out the requirements of the UK data protection law as a result
5% (1% of businesses that handle digitised personal data) said they were prevented in the implementation of a new or significantly improved product, process or business model
8% (1% of businesses that handle digitised personal data) stopped or reduced international trade because of worries around compliance with international transfers requirements
6% (1% of businesses that handle digitised personal data) needed to outsource compliance with data protection laws to specialist staff
48% (8% of businesses that handle digitised personal data) of businesses that didn’t find the guidance clear said they experienced none of these barriers

As discussed above in section 2.1.3, respondents for large and medium sized businesses were more likely to agree that the ICO guidance was clear. This means that very few were asked this question and their responses are suppressed in size breakdowns to avoid disclosure. The following insights can be made relating to business size breakdowns.

For disproportionate time spend working out the requirements:

small businesses were more likely to say they spent a disproportionate amount of time working out the requirements of the UK data protection law than sole traders

For outsourced compliance:

small businesses were more likely to say they outsourced compliance with data protection laws to specialist staff than sole traders and micro businesses

2.3 Compliance activities, costs, and burdens

2.3.1 Activities undertaken to comply with UK data protection law

Businesses that said they process personal or employee data were asked if they had undertaken particular activities to comply with UK data protection laws in the last 12 months, for instance, seeking legal advice or updating a privacy notice. Only businesses that employ staff were asked if they had hired new staff, or run training for existing staff. Only businesses that said they handled personal data (other than employee data) were asked if they had introduced opt-in consent mechanisms or responded to Subject Access Requests.

For businesses that process digitised personal data (either of employees or others), the following was found:

42% of businesses that handle personal data said they had not undertaken any of the specified activities in the past 12 months
sole traders and micro businesses contributed the most to the above result (see figure 26 below)
29% said they had rewritten or updated terms and conditions
29% had rewritten, updated or introduced a privacy notice
16% said they had updated how they manage cookies and tracking technologies used by their business, but this rises to 43% of businesses that acquire personal data using cookies. (further analysis of use of cookies is discussed in section 2.6 below)

Figure 26: Percentage of businesses undertaking activities to comply with UK data protection law in the last 12 months, by business size

Base: 4117 UK businesses that said they process personal data (either of employees or others)

The following variations with business size were found:

large and medium businesses were more likely than sole traders and micro businesses to undertake all these activities
48% of large businesses said they had updated how they manage cookies and tracking technologies used by their business, but this rises to 85% of large businesses that acquire personal data using cookies

For businesses that employ staff:

29% have run training for existing staff in the last year
7% have hired new staff or outsourced specialist staff to handle data protection requirements
small, medium and large businesses (13%, 15%, and 22% respectively) were more likely than micro businesses (5%) to say that they had hired new staff or outsourced specialist staff to handle data protection requirements
larger businesses were more likely than smaller businesses to run training for existing staff (23%, 49%, 64%, and 79% for micro, small, medium, and large businesses respectively)

Figure 27: Percentage of businesses that employ staff undertaking staff-specific activities to comply with UK data protection law in the last 12 months, by business size

Base: 3055 UK businesses that said they process personal data (either of employees or others) and employ staff

For businesses who handle digitised personal data (other than employee data):

18% reported having introduced opt-in consent mechanisms
5% have responded to Subject Access Requests
sole traders and micro businesses were less likely than larger businesses to say they introduced an opt-in consent mechanism
larger businesses were more likely than smaller businesses to say they had responded to Subject Access Requests

Figure 28: Percentage of businesses who handle personal data undertaking activities specifically relating to processing personal data other than employee data to comply with UK data protection law in the last 12 months, by business size

Base: 3400 UK businesses that said they process personal data (other than employee data)

2.3.2 Time spent complying with UK data protection law

Businesses that employ staff, and have undertaken at least one activity to comply with UK data protection law in the last 12 months, were asked how many staff they employed whose primary role is to undertake activities related to complying with UK data protection law. Sole traders were asked to estimate how much time they spent on activities relating to complying with UK data protection law. For businesses that employ staff:

49% of businesses that have undertaken compliance activities have 1 or 2 members of Full Time Equivalent (FTE) staff whose primary role is to undertake activities related to complying with UK data protection laws
as expected, there is some link between business size and number of employees hired, particularly in the ‘None’ and 7 or more categories, however there is less variation between business sizes in those hiring 1 to 6 staff members
see figure 29 below for a breakdown across all ranges and business sizes

Figure 29: FTE equivalent staff days businesses spend on complying with UK data protection laws, by business size

Base: 2161 UK businesses that employ staff and, in the last 12 months, have undertaken at least one activity in order to comply with UK data protect rules

Most sole traders that have undertaken at least one compliance activity in the last 12 months report spending 2 days a month or less on data protection compliance:

38% said they spend negligible or no time
25% said they spend half a day per month
15% said they spend 1 to 2 days a month
3% said they spend more than 2 days per month
13% said they don’t know how much time they spend
3% said that they outsource this work to a third party

Qualitative findings: costs in complying with data protection legislation

During the qualitative interviews, a small number of businesses were asked where the costs in compliance fell. The responses can be grouped into the following themes:

time costs, including time spent on subject access requests, updating policies and completing data protection impact assessments
staffing costs, including legal and data protection staff
digital technology costs, including introducing a private WiFi network or secure servers, buying a new computer, ensuring the technical infrastructure is secure and moving to cloud storage
costs in certification, accreditation and staff training
costs in managing paper based records, including disposing of paper and buying lockable filing cabinets
costs involved in seeking advice, including advice on compliance, IT consultants and legal advice

Some businesses, however, didn’t feel there were any real financial costs to compliance (sometimes describing them as ‘administrative costs’), while others suggested that the benefits of the legislation outweigh the costs.

2.3.3 Perceived burden of complying UK data protection law

Businesses that process personal data (either of employees or others) were asked to assess whether the burden, both in terms of time spent and financial costs, of complying with UK data protection law had increased, decreased, or stayed the same in the last 12 months:

72% of businesses said that the burden on their business has stayed about the same in the last 12 months
22% said the burden had increased
1% said the burden had decreased

Looking specifically at businesses that have undertaken at least some data protection law compliance activities in the last 12 months, those saying the burden has increased is 31% (and those saying it has stayed the same is 66%). This means those undertaking compliance activities are more likely to perceive complying with UK data protection law as a burden.

There was little variation in results between business sizes. Small businesses (30%) were more likely to say burdens had increased than sole traders (21%). This may, for instance, reflect the fact that sole traders will not need to worry about employee data, just other personal data, whilst small businesses will need to comply with regulations for both types of personal data.

Qualitative findings: challenges in data protection compliance

During the qualitative interviews,a small number of businesses were asked about challenges data compliance rules bring. The responses can be grouped into the following themes:

compliance is time consuming, including time spent ensuring compliance, getting documents in place when GDPR and DPA 2018 was first introduced, time spent on subject access requests and on data protection impact assessments
business avoids or reduces the level of personal data they hold as a result of the legislation
costs involved in compliance reduces business growth
ensuring staff are sufficiently trained, are aware of the need for compliance, and recognise the importance of good data management
lack of automated systems within the organisation makes compliance audits more time consuming
the regulatory guidance could be improved, including suggesting that sector specific advice, more advice sent to smaller businesses and that templates for policies would be helpful
perception that others from outside of their business aren’t following the rules
COVID-19 pandemic led to new challenges in compliance, such as having to collect customer personal data under the NHS test and trace systems, not being able to do on site audits or to check paper documents are locked away

2.3.4 Potential disadvantages of complying with UK data protection law

Businesses were asked if they had experienced any disadvantages of complying with UK data protection laws in the last 12 months and were asked to select from a list of possible options. The following was found:

62% of businesses that handle digital personal data reported no disadvantages
21% reported time associated with complying with the legislation as a disadvantage
14% reported the cost associated with complying
other disadvantages mentioned have between a 5-9% response rate, with costs associated with complying with ICO investigations or defending litigation being noticeable lower at 1%

Looking specifically at businesses that have undertaken at least some data protection law compliance activities in the last 12 months, those saying they experienced the disadvantage of costs in complying with the legislation is 21%. Similarly those saying they experienced the disadvantage of time spent complying with the legislation is 33%. This is consistent with the finding in section 2.3.3 that those undertaking compliance activities are more likely to perceive complying with UK data protection law as a burden.

Figure 30: Percentage of businesses experiencing disadvantages whilst complying with UK data protection laws, by business size

Base: 4117 UK businesses that said they process personal data (either of employees or others)

As can be seen in figure 30 above, there are variations with business size in terms of disadvantages experienced, with larger businesses, broadly speaking, more likely to experience any given disadvantage than smaller businesses. This aligns with the fact that large businesses reported being more likely to undertake these compliance activities (see section 2.3.1). For instance, 64% of sole traders that handle personal data say there are no disadvantages, but 47% said they hadn’t undertaken any of the listed compliance activities in the last year. 30% of large businesses that handle personal data said there were no disadvantages, but just 4% of large businesses hadn’t undertaken any of the listed compliance activities in the last year.

Qualitative findings: benefits of the data protection legislation

During the qualitative interviews, a small number of businesses were asked about the benefits of the data protection legislation. The responses can be grouped into the following themes:

the legislation has improved the way they handle data, including giving increased confidence, increasing awareness of the importance of data protection, better data organisation and increased awareness of the importance of data
reassuring for their customers or clients, including increased awareness of their rights, increased contact with customers and improving business reputation
the introduction of GDPR led to businesses improving their systems for data management or data security
ICO guidelines and the NHS data protection tool kits have been useful to work with

2.4 Perceptions of the impact of UK data protection law on domestic trade

Businesses that process personal data were asked how much they felt UK data protection laws were a barrier or an enabler to trade with other businesses located in the UK:

58% of businesses that process personal data feel that UK data protection laws are neither a barrier nor an enabler to trading with other UK businesses
17% thought it was a barrier for trading with businesses in the UK
7% thought it was an enabler for trading with businesses in the UK
17% did not know if it was an enabler or barrier for trading with businesses in the UK

Large businesses (19%) were more likely than sole traders, micro and small businesses (7%, 8%, and 7% respectively) to say that the laws are an enabler for trading with other businesses in the UK.

Figure 31: Businesses’ perceptions of UK data protection laws as a barrier or enabler of trade with other businesses in the UK, by business size

Base: 4117 UK businesses that said they process personal data (either of employees or others); some data are suppressed due to small numbers, which is why not all categories sum to 100%.

2.5 Awareness of Information Commissioner’s Office

Respondents were asked whether they had heard of the ICO before taking part in the survey. The majority of respondents from businesses have heard of the ICO:

58% have heard of the ICO and know what it is
19% have heard of it, but don’t know what it is
23% have not heard of it.

Sole traders and respondents from micro businesses (24% and 22% respectively) are more likely to say that they have not heard of the ICO than respondents from small, medium, and large businesses (16%, 12% and 8% respectively).

Figure 32: Percentage of businesses that have heard of the ICO or not, by business size

Base: 4612 UK businesses that said they use any form of digitised data; some data are suppressed due to small numbers, which is why not all categories sum to 100%.

There are differences across sectors in terms of knowledge of the ICO:

businesses in the Finance and Insurance sector (90%), with the exception of those in the Information and Communication, and Human, Health and Social Work sectors, are more likely than those in all other sectors to have heard of the ICO and know what it is
businesses in the Information and Communication (79%), Human, Health and Social Work (76%), and Professional, Scientific, Technical (72%) sectors are also more likely to have heard of the ICO and know what it is compared with those in several other sectors
broadly speaking, businesses in these sectors are also more likely to share data than some other sectors (see section 1.2.2)

Figure 33: Percentage of businesses that have heard of the ICO and know what it is, by business sector

Base: 4612 UK businesses that said they use any form of digitised data

2.6 Use of cookies or similar technologies

An estimated 9% of businesses that handle personal or employee data report acquiring personal data through the use of cookies or similar technologies (6% of all UK businesses). This was more prevalent among large businesses compared to businesses with 49 or fewer employees (see figure 34 below).

A potential reason for large businesses being more likely to acquire personal data through the use of cookies or similar technologies may be because larger businesses are more likely to have a website than smaller businesses, and among those that do have a website larger businesses are more likely to have more advanced functionality, such as online booking or personalised content for repeat visitors (see E-commerce and ICT activity 2019 release from the Office of National Statistics).

Figure 34: Percentage of businesses acquiring personal data through the use of cookies or similar technology placed on people’s connected devices, by business size

Base: 4117 UK businesses that process digitised personal data (of employees or others)

Question 5

Chapter 3: Transfer of data internationally

Accepted Answer

Mission 5 of the government’s National Data Strategy concerns the international flow of data. In order to continue to understand this landscape in relation to businesses, this section explores transfers of data (both sending and receiving) with organisations or people outside the UK, and the factors that assist businesses or impede their international data transfers.

Respondents were asked if their business transfers (send or receive) data with other organisations, businesses or people based outside of the UK. Respondents were told that data sharing outside of the UK includes personal and/or non-personal data they send to or receive from organisations, businesses or people abroad. This includes data that their business accesses or processes in another country (for instance through cloud computing, web-services).

3.1 General international data transfer

Of businesses that use digitised data, 82% said they do not transfer that data with organisations, businesses or people based outside of the UK, with 16% saying they do transfer data overseas (13% of all UK businesses, because 85% of all businesses handle digitised data). This rises to 41% for large businesses.

Figure 35: Percentage of businesses that transfer (send and/or receive) data internationally, by business size

Base: 4612 UK businesses that said they use any form of digitised data

The following variations with business sector were found:

businesses in the Information and Communication (29%) and Professional, Scientific, Technical (21%) sectors are more likely to say they transferred data overseas compared with those in many other sectors
see figure 36 for a fuller comparison

Figure 36: Percentage of businesses that transfer (send and/or receive) data internationally, by business size

Base: 4612 UK businesses that said they use any form of digitised data

Qualitative findings: reasons for transferring data internationally

A small number of businesses who indicated in the main survey that they transfer data (send/receive) internationally were asked more about why they do so during the qualitative interviews. The responses can be grouped into the following themes:

to deliver part of the business function, including to acquire international property rights, to deliver training, and to attract and enrol international students
to work with international partners or businesses
to work with or communicate with international customers, clients or other businesses
to enable business to be conducted internationally
for business operational purposes, including paying staff, for grant funding applications, and centralising business management processes in multiple national organisations
to transfer data within international branches of the same company
the business has international suppliers or subcontractors
the software of the IT storage they use has an international server

3.2 Types of data, reasons and locations

This section explores the types of data transferred, the reasons for not transferring data, perceptions of UK data protection laws on trade both in the UK and overseas, and the locations it is transferred with.

3.2.1 Types of data transferred

Businesses that transfer data internationally were asked about whether they sent or received personal or non-personal data:

businesses that transfer data internationally were more likely to say they receive personal data (53%) than send personal data (42%)
large businesses are more likely to send personal data outside the UK than sole traders and micro businesses, however rates of receiving personal data are similar across business sizes
businesses that transfer data have similar rates for sending non-personal data (53%) as receiving non-personal data (55%)
large businesses are also more likely to send non-personal data outside the UK than micro businesses, however rates of receiving non-personal data are similar across business sizes

Figure 37: Percentage of businesses that send and receive personal data internationally, by business size

Base: 833 UK businesses that said they use any form of digitised data and said that they send data to and/or receive data from outside the UK

When looking at data transferred in any way (sent and/or received):

32% of businesses that transfer data internationally said they send and/or receive both personal and non-personal data
29% said they send and/or receive personal data only
30% said they transfer non-personal data only

3.2.2 Reasons for not transferring data internationally

Businesses that do not transfer data internationally were asked the reasons why this is the case. Businesses could respond with more than one reason. The following was found:

78% of businesses stated that they had no business need to transfer data internationally.
63% that they do not operate internationally.
results ranged from 0-5% for other reasons such as concerns relating to legal risks, barriers due to local laws in other countries, not having the resources to share data internationally, compliance costs being too high (see figure 38 below for the specific breakdown)

Of the UK businesses that handle digitised data, but do not transfer data internationally 95% said that they either had no need or don’t operate internationally. When those who have no business need to transfer data internationally and those who do not operate internationally are excluded, the remaining 5% of businesses represent those who do not transfer data internationally for other reasons:

1% of businesses that don’t transfer data internationally listed concerns, barriers, costs or lack of resources and potentially have a need to transfer data internationally
the remaining 4% said they had experienced none of these, didn’t know, or preferred not to say

Figure 38: Reasons businesses do not transfer data internationally

Base: 3676 UK Businesses that handle digitised data, but do not transfer data internationally

Qualitative findings: reasons for not transferring data internationally

During the qualitative interviews, a small number of businesses that said they don’t transfer data internationally were asked about reasons for not doing so. Reasons given for not using data internationally were similar to that in the main survey and can be categorised into the following themes:

no business need to transfer data internationally
the business doesn’t operate internationally
to avoid the risk of losing customer trust
the international companies they could share with are protective of their data
mindful of risks or legislative restrictions, however this isn’t the reason for not transferring data internationally, a lack of business need is

3.2.3 Perceptions of the impact of UK data protection law on international trade

Businesses that handle personal data and transfer that data outside the UK (whether personal or non-personal data) were asked how much they felt UK data protection laws were a barrier or an enabler to trade with other businesses located in the EU, or the rest of the world. This distinction was made in the question because of the different regulations for personal data transfers in the EU compared to the rest of the world. For the results of a similar question related to trade with UK businesses see above in the section 2.3.4 on UK data protection law.

Businesses’ perceptions of UK data protection law as a barrier or enabler to trade with other businesses are similar whether that trade is with the EU or the rest of the world:

50% of businesses that transfer data internationally said they are neither a barrier nor an enabler to trading with businesses based in the EU
54% said the same for businesses based in the rest of the world
there is no statistically significant difference between these two results

Although the most common response was neutral, businesses, after this, were more likely to say that UK data protection laws were a barrier than an enabler:

24% of businesses that transfer data internationally thought UK data protection law was a barrier for trading with businesses in the EU compared to 9% that thought it was an enabler
20% of businesses thought UK data protection law was a barrier when trading with businesses in the rest of world compared to 7% that thought it was an enabler
there is no statistical difference between the results for the EU and the rest of the world

Note that many respondents were uncertain how to answer this question, responding with don’t know (16-18% across the different regions specified in the question).

Figure 39: Businesses’ perceptions of UK data protection law as an enabler or a barrier of trade with other businesses in the EU and rest of the world

Base: 751 UK businesses that said they process personal data (either of employees or others) and that transfer data outside the UK

The following patterns with business size were found:

large businesses (27%) were more likely than sole traders and small businesses to say that the laws are an enabler for trading with other businesses in the EU
large businesses (46%) were more likely than sole traders and micro businesses (18% and 21% respectively) to say that the laws are a barrier for trading with other businesses in the rest of the world

Qualitative findings: challenges in transferring data

During the qualitative follow up interviews, a small number of those that said they do send or receive data internationally were asked about any challenges they had. The themes identified were:

concerns around rules or data sharing culture in other countries, including a perception that there are complex rules in Switzerland and Germany, a perceived reluctance of businesses in some countries to share data and challenges in transferring to/from the USA such as those resulting from GDPR and the expiry of the US Privacy Shield
concerns relating to data server locations
wishing to maintain data protection standards that are consistent with other countries

3.2.4 Transferring data outside the UK

Businesses that handle digital data were asked whether they transfer (send or receive) data outside the UK and which regions of the world they transfer data with:

16% of businesses that handle digital data said they transfer data (send or receive) with organisations outside the UK
of these businesses, the main regions businesses transfer data with are Europe (79%) and North America (59%), followed by Asia-Pacific (35%) with Africa (20%), Middle East (20%), and South America (13%) representing a relative minority
note that there is no statistical significance between the differences in percentage for Africa, Middle East, and South America
there is no statistically significant variation of these results with business size

Figure 40: Regions where data is transferred (sent or received)

Base: 833 UK businesses that transfer data outside the UK

3.2.4.1 Countries that businesses transfer data with that are important to their business

Breaking down the region data above to the country level means that data for many countries is suppressed due to low sample sizes. Respondents were asked to specify up to three of the countries it was important for them to transfer data with. The data tables accompanying this report list all the countries mentioned, where sample size allows. Other than the United Kingdom, which was specified by some respondents as one of the three countries important to their business, the 10 most commonly listed countries are:

United States of America (USA)
Germany
France
Netherlands
Italy
Australia
Republic of Ireland
Canada
Belgium
Spain

The USA was the top most commonly listed country. Germany was more likely to be listed than all other countries, except France. Nothing can be made of the relative ranking of the remaining countries as the confidence limits for their results overlap.

Figure 41: Countries most commonly listed as being one of the three countries businesses transfer data to that are the most important to their business

Base: 726 UK businesses that transfer data outside the UK and mentioned a region they transfer data with

3.2.4.2 Reasons for transferring data internationally

Businesses were asked the purpose they transfer data outside the UK:

65% of businesses that transfer data internationally said for the delivery and/or receipt of goods, products, or services
48% said transferring data for the purpose of communications
24% said marketing or customer research and internal processes such as human resources, or accounts
20% said product development or innovation
15% said regulatory requirements
11% said supply chain efficiency
7% said responding to requests from government authorities such as law enforcement

Figure 42: Purposes businesses transfer data with other businesses, organisations or people based outside the UK

Base: 833 UK businesses that transfer data outside the UK

It is expected that larger businesses would be more likely to need to transfer data internationally for internal purposes, given that they are more likely to have the resources to operate internationally, or be part of a larger, international, corporate group. It is also likely that sole traders have less complex or developed supply chains than larger businesses so may be less likely to transfer data for these purposes. The survey results are consistent with this:

large, medium, and small businesses (55%, 44%, and 44% respectively) were more likely than sole traders (23%) to say they transferred data overseas for the purpose of internal processes
sole traders (7%) were less likely to mention supply chain efficiencies than businesses with employees (ranging from 22% of micro businesses to 35% of large businesses
there were no other differences with business size

Figure 43: Percentage of businesses transfer data outside the UK for the purposes of supply chain efficiency or internal processed, by business size

Base: 833 UK businesses that transfer data outside the UK

3.2.4.3 Knowledge of legal compliance necessary to transfer personal data outside the UK

Businesses that handle personal data and transfer data overseas were asked how much they knew about the legal compliance necessary to transfer personal data with businesses organisations or people based outside the UK. It is important to note that these businesses may not transfer personal data overseas. These results also represent the knowledge of the respondent, rather than all employees of the business. The following was found:

9% of businesses that handle personal data and transfer data overseas said they knew a great deal
35% said they knew a fair amount
38% said they didn’t know very much
15% said they knew nothing at all

This result was the same for most business sizes, but large businesses (30%) were more likely to say they knew a great deal than sole traders and micro businesses (8% and 9% respectively).

3.2.4.4 Barriers to international data transfer

Businesses that transfer data outside the UK were asked if they have been prevented from sharing data internationally as a result of barriers regarding the transfer of data. This was split into barriers for personal and non-personal data. A small percentage of businesses said that they have been prevented from sharing either personal data or non-personal data internationally to barriers regarding the transfer of data: 7% of those who transfer personal data overseas and 6% of those who transfer non-personal data overseas. This corresponds to 1% of all UK businesses saying they both transfer data and have been prevented from sharing data internationally due to barriers regarding the transfer of data. The sample size answering this question is not sufficient to provide further breakdowns by business demographics.

3.3 International transfer mechanisms

International transfer mechanisms are safeguards that enable the secure transfer of personal data between trusted partners, such as data adequacy (where a country recognises another countries data standard as providing sufficient safeguards for data protection) and EU Standard Contractual Clauses (SCCs). It is important to note that the fieldwork for this survey took place before 21 March 2022 when the UK’s new standard data protection clauses, the International Data Transfer Agreement (IDTA) and Addendum, formally took effect and will replace the SCCs.

Businesses that transfer data internationally sending personal data (42% of businesses that transfer data internationally) were asked about the international transfer mechanisms they used to facilitate this:

31% of businesses that send personal data internationally said they use SCCs
22% said they use adequacy (the difference in percentages using SCCs and adequacy is not statistically significant)
9% said they use Binding Corporate Rules (BCRs)
8% said they use exceptions for specific circumstances such as for medical emergencies
39% said they use none of the legal safeguards suggested
13% of respondents didn’t know what legal safeguards their businesses used

Note that use of these transfer tools are self-reported. The ICO records show as of December 2021, 28 UK businesses were registered with the ICO to use UK BCRs, suggesting these results may be an overestimate in the use of BCRs.

Figure 44: Percentage of businesses that send personal data internationally and that use a particular legal safeguard

Base: 388 UK businesses that share (send) personal data outside the UK

Of businesses that share (send) personal data outside the UK, the following differences with business size were found:

medium and large businesses (both 66%) were more likely to say they utilised SCCs than sole traders and micro businesses (27% and 39% respectively)
large, small, and micro businesses (26%, 23% and 16% respectively) were more likely to say they use BCRs than sole traders (5%)
large businesses (56%) were more likely than sole traders and micro businesses (22% and 17% respectively) to say they use adequacy
sole traders (43%) were more likely to say they used none of these safeguards compared to large businesses (13%)

Figure 45: Percentage of businesses that send personal data internationally that use a particular legal safeguard, by business size

Base: 388 UK businesses that share (send) personal data outside the UK; some results are suppressed due to small numbers.

Businesses that said they use none of the above international transfer mechanisms were asked in more detail about the reasons for this:

46% of businesses not using legal safeguards to send personal data overseas report that they are not making a restricted transfer
40% report not being aware of the need to do so
23% are unsure of the tools to use

The sample size answering this question is not sufficient to provide further breakdowns by business demographics.

3.3.1 Use of Standard Contractual Clauses

Businesses who said they use SCCs were asked a series of follow up questions to help explore the cost to businesses in terms of time associated with the use of SCCs. This includes: the number of SCCs businesses have put in place during the last 12 months; the time businesses spend implementing SCCs; use of externally contracted support, and how easy businesses found it to put SCCs in place.

The majority of businesses that use SCCs have put 5 or fewer in place during the last 12 months:

34% put in place 1 to 5 SCCs
29% of businesses who use SCCs put no SCCs in place in the last 12 months
21% of respondents didn’t know how many SCCs had been put in place during the last 12 months
other responses ranged from 1% for more than 100 to 8% for 11 to 50 SCCs put in place during the last 12 months

Figure 46: Number of SCCs businesses have put in place over the last 12 months

Base: 171 UK businesses that share (send) personal data outside the UK and said they have used SCCs to do this

The sample size answering this question is not sufficient to provide further breakdowns by business demographics.

In terms of the time burden on businesses to implement SCCs the following was found:

62% of businesses who implemented SCCs in the last 12 months spent less than one working day, per SCC, on average doing this
23% spent one to five working days
8% spent 6 to 10 working days

Businesses were also asked about whether they contracted out work on SCCs:

15% of businesses estimated that this contracted work took less than one working day per SCC
7% estimated it took one to 5 working days
67% of businesses who implemented SCCs in the last 12 months did not contract this work externally

Finally, businesses were asked how easy or difficult they find it to use SCCs:

37% of businesses using SCCs said they found it easy (either very easy or fairly easy) to use them.
a similar number, 36%, said it was neither easy nor difficult.
15% of businesses reported finding them difficult (either fairly or very difficult) to use.

This implies that on the whole businesses using them do not find it difficult to use SCCs.

Qualitative findings: experiences of using Standard Contractual Clauses

During the qualitative interviews, a small number of businesses that said they used Standard Contractual Clauses (SCCs) for their overseas data transfers were asked about their views on using them, which can be grouped into the following themes:

businesses gave positive views on SCCs, including viewing that they are internationally recognised, that they are providing safeguards against risks, that they are not costly or difficult to put in place, appreciating them being standardised or a business choosing to use SCCs regardless of adequacy status
SCCs don’t resolve all issues, including where a business experienced clients not accepting data transfers to some countries even with SCCs in place, feeling they are inaccessible or that they don’t feel they give businesses much protection
there are some challenges in drafting SCCs, including being time consuming, expensive to hire legal support or onerous for small businesses

Question 6

Chapter 4: Comparison to 2021 results

Accepted Answer

A number of questions asked in the 2022 survey are new, some are the same as those in 2021, and some have been changed or were asked to a slightly different type of business, 17 questions asked in 2021 were not asked in 2022 (see the 2021 technical report for full list of 2021 questions). Direct comparisons are therefore not possible across all questions.

A note of caution is required in comparing results from 2021 and 2022 due to a change in survey methodology affecting businesses with 0-4 employees. This means it is not possible to say whether changes for sole traders and micro businesses are because of this change in method, or a real world change. Changes seen for businesses with 10 or more employees are not affected by the change in methodology. See the methodology section for more details.

The following tables explore potential comparisons between 2021 and 2022:

table 1 highlights areas where the questions are the same between 2021 and 2022
table 2 highlights areas where the question has changed between 2021 and 2022
table 3 highlights new question topics in the 2022 survey for which there is no equivalent question in 2021

Table 1: Areas where the questions are the same between 2022 the 2021 UK Business Data Surveys

Statistically significant difference in:	2021 total	2022 total	total	sole traders	micro
Chapter 1: General data use
UK businesses reporting they handle digitised data	81%	85%	✔	✔
UK Businesses reporting they handle digitised personal data	65%	63%			✔
UK Businesses reporting they handle digitised non-personal data	50%	52%
Chapter 2: Data protection law
UK businesses that handle digitised data saying they have heard of the ICO and know what it is	44%	58%	✔	✔	✔
Chapter 3: Transfer of data internationally
UK businesses that handle digitised data saying they transfer data internationally	12%	16%	✔	✔
UK businesses that transfer data internationally saying they transfer data with:
Europe	76%	79%
North America	62%	59%
Asia-Pacific	32%	35%
Africa	15%	20%
Middle East	20%	20%
South America	15%	13%
UK businesses that transfer data internationally specifying up to three countries that are important to their business to transfer data with^{[footnote 2]}	-	-

Table 2: Areas where the question has changed between 2022 the 2021 UK Business Data Surveys

Question	Notes
Chapter 1: General data use
Businesses acquiring data from other businesses	There was a change in question wording from 2021 and 2022 and the number of different options offered to respondents.
Businesses sharing data outside of their organisation and who they are sharing data with	There was a change in question wording from 2021 and 2022 and the number of different options offered to respondents.
Data availability, and whether this has led to efficiencies or innovation	There was a change in the scope of the question from 2021 to 2022. In 2021 respondents were asked to reflect on the previous 10 years and in 2022 on the previous 3 years. Question wording was also changed for the consequences of efficiency and innovation.
Types of sensitive personal data held	The types of businesses asked this question were changed between 2021 and 2022. In 2021 businesses which handle personal data (other than employee data) were asked the question. In 2022 businesses which handle personal data (whether of employees or others) were asked the question.
Chapter 2: Data protection law
Whether the ICO guidance is clear and easy to understand	There was a change in question wording from 2021 to 2022 to remove explicit reference to ‘GDPR and DPA 2018’ from the phrase ‘regulatory guidance’. There is a reduction in those who agree the guidance is clear and easy to understand compared to 2021. There is a corresponding increase in those who neither agree nor disagree.
Consequences of not finding ICO guidance clear or easy to understand	The question which led businesses to this one (whether the ICO guidance is clear and easy to understand) was changed between 2021 and 2022, but this question itself was similar. For businesses which handle personal data and do not find guidance on UK data protection laws clear or easy to understand, there was a reduction between 2021 and 2022 in those selecting a disproportionate amount of time working out the requirements of the UK data protection law, and in those saying they outsourced compliance with data protection laws to specialist staff. There was a corresponding increase in those saying none of the listed activities.
Compliance activities undertaken in the last 12 months	There was a change in question wording and options presented to respondents from 2021 to 2022. In particular, in 2021 the question was asked ‘as a result of GDPR and DPA 2021’, in 2022 the time frame was ‘in the last 12 months’.
Perceptions of the data protection regime on domestic trade	There was a change in which businesses were asked this question and in the wording of the question between 2021 and 2022.
Chapter 3: Transfer of data internationally
Whether personal data or non-personal data is transferred	There was a change in which businesses were asked about personal or non-personal data transfer and how the question was worded between 2021 and 2022.
Reasons for not transferring data	There was a change in the list of response options available to businesses. In addition, businesses on average selected fewer responses in 2022 than in 2021, as such, figures for some response options are lower in 2021, however it remains the case that most businesses either selected ‘no business need’ or ‘do not operate internationally’.
Perception of the UK data protection law on international trade	There was a change in which businesses were asked this question and in the wording of the question between 2021 and 2022.
Barriers to international data transfers that have prevented sharing internationally	There was a change in which businesses were asked this question and in the wording of the question and number of options presented to respondents between 2021 and 2022.
Knowledge of legal compliance necessary for international personal data transfers	There was a change in which businesses were asked this question between 2021 and 2022 to only include those who said they handle personal data (whether of employees or others).
Legal safeguards for international data transfers	There was a change between 2021 and 2022 in which businesses were asked this question to include only those who send personal data. There was also a change in which types of legal safeguard were given as options.
Views on how easy or difficult it is to use SCCs	There was a change in question wording between 2021 and 2022. In 2021 the question referred to all the safeguards a respondent said their business used, in 2022 it refers specifically to use of SCCs.

Table 3: New question areas in the 2022 survey

Chapter 1: General data use

The use of privacy enhancing technologies

Self reported scores against data foundations measures

Self-reported data skills

Types of data storage methods

Location of servers used by businesses

Dependency on servers

Types of sensitive non-personal data held

Precautions used for handling sensitive data

Number of people a business holds personal data on

Chapter 2: Data protection law

Whether businesses have processes in place to deal with data protection complaints from the public

Views on the data protection regime (whether they agree it strikes the right balance between enabling responsible use of data and protecting individual’s rights)

Number of FTE staff working on data protection

Subjective views on whether the burden of compliance has increased or decreased in the last year

Disadvantages of the data protection regime

Businesses acquiring personal data through use of cookies or similar technologies placed on people’s connected devices

Chapter 3: Transfer of data internationally

Whether data is sent or received

Reasons for transferring data internationally

Number of SCCs put in place in last 12 months

Reasons for not using safeguards for spending personal data internationally

Time taken to implement SCCs

Question 7

Chapter 5: Geographical analysis

Accepted Answer

The survey recorded the regions of the UK the businesses responding to the survey were based. Where the sample size is sufficient, it is possible to explore variations in the results across different regions of the UK. As in the 2021 survey, very few statistically significant differences between regions were found. There was no consistent pattern of variation between regions and it is difficult to draw any meaningful conclusions from the small number of statistically significant differences that were found. It is possible that some of the regional differences reported may be driven by sector or size differences in these regions (see the ONS Business: activity, size and location dataset).

The data tables accompanying this report contain full regional breakdowns of the results for most questions as well as the confidence intervals for these breakdowns.

Question 8

Annex 1: Supporting information

Accepted Answer

A.1 Glossary and definitions

A.1.1 Data Foundation characteristics definitions

One of the four pillars of the government’s National Data Strategy is ‘data foundations’ - ensuring data is fit for purpose. Survey respondents were asked a question about data foundations. The definitions of these data foundation characteristics given to respondents can be found in table 5 below.

Table 5: Data characteristics applied to determine indicative level of data foundations adoption

Quality	Accurate, free from error and missing values
Consistent	Recorded in standardised formats
Accessible	Easily retrievable when needed
Properly documented	Appropriately catalogued, allowing data to be easily found
Easily usable	Easy to understand and manipulate for organisation’s need
Interoperable	Can be easily combined with other datasets and used across different systems
Secure	Appropriately protected against unauthorised access and usage
Timely	Sufficiently up to date for organisation’s needs

A.1.2 Subgroup definitions and conventions

For businesses, analysis by size splits the population into:

sole traders (0 employees)
micro businesses (1 to 9 employees)
small businesses (10 to 49 employees)
medium businesses (50 to 249 employees)
large businesses (250 employees or more)

A.2 Methodology

DCMS commissioned Ipsos to carry out a quantitative questionnaire-based survey of 5,084 UK businesses from 22 November 2021 to 11 February 2022. The sample was split into 3,594 telephone interviews and 1,488 online questionnaires, with the online respondents predominantly businesses with 0-4 employees. This represents a change from the 2020 survey where all interviews were conducted over telephone, and subsequently caution should be taken when comparing figures between the two survey years.

In addition, in February 2022, Ipsos conducted 32 in depth qualitative interviews with businesses that use digital data to gain further insight into their use and views around data use. Themes from these interviews are presented alongside the statistics in this report. As with any qualitative findings, however, these themes are not intended to be statistically representative.

The samples were selected to provide robust coverage by UK region, business size (number of employees) and sector.

Weighting by industry sector and number of employees was applied to the data to ensure that the results reflect the UK business population.

Many questions were asked to a subsection of the overall sample based on their responses to previous questions. Where this is the case, it has been indicated in the supporting text. Please note, additionally, that certain questions in the survey were only asked of half the respondents (see the technical report for details about this selection). This was so that more questions could be asked of businesses whilst not increasing the overall length of the survey (which is shown to reduce response rates). This means that the exact number of respondents asked a question will vary occasionally even when the text description of the respondents has not changed.

A screening and question routing process was employed to minimise occasions when businesses initially said they do not collect or use data but in fact do. It was helpful to define what is meant by ‘data’ for the purposes of this research, and the definition given to respondents at the beginning of the interviews was as follows:

Digitised information that your organisation may hold, for example things such as financial records and names and addresses of employees and customers. All businesses use data in some form, and we are interested in speaking with all businesses even if you only deal with a small amount of digitised data.

The survey focussed on digitised data since, although non-digitised personal data (such as paper records) is covered by data protection legislation, it is thought that digitised data is by far the more prevalent form, and increasingly so. As such, it was considered better to concentrate the limited sample on businesses that use digital data.

More technical details and a copy of the questionnaire are available in the technical report published separately.

A.2.1 How to interpret the data

The research respondents were a sample of the total UK business population so it is not possible to be certain that the figures obtained are exactly those we would have if all in the population had been interviewed (the ‘true’ values). As such, figures presented in this report should be considered estimates of the ‘true’ value. It is possible, however, to predict the variation between the sample results and the ‘true’ values from the knowledge of the size of the samples on which the results are based and the number of times that a particular answer is given. The confidence with which this prediction can be made is usually chosen to be 95% - that is, the chances are 95 in 100 that the ‘true’ value will fall within a specified range.

Percentage estimates, and subgroup differences by size and sector, have been highlighted only where statistically significant (at the 95% confidence level).

Confidence intervals for all the results can be found in the data tables that accompany this report. These are sometimes shown on figures in the report using ‘error bars’. See figure 47, below, for an example of this for a result ‘Yes’ 65% (with 95% confidence that the ‘true’ result lies between 45% and 85%).

Figure 47: An example showing how to interpret confidence intervals on charts

This report focuses on particular characteristics of businesses, so differences cited here may not always necessarily be attributed directly only to the characteristic being described.

A.2.3 Mode and sample effects of the change in survey methodology

This year the fieldwork was conducted in two modes: a computer assisted telephone interview (CATI), and an online self-completion questionnaire. The survey fieldwork in 2021 was conducted entirely through CATI. It is possible that this change of methodology could impact the survey results, which can present challenges in understanding whether a difference between the two years is a real world difference, or a result of the methodology change.

There are two ways in which this methodology can affect the survey responses.

Firstly, through mode effects whereby people might respond differently to a question when they hear it read to them on the phone, compared to when they read it in an online (or paper) survey. For instance, there is evidence in our survey data that people are more likely to strongly agree or disagree than tend to agree or disagree when responding via CATI than when responding online.

Secondly, through sample effects. This survey is about the use of digital data, so there is a chance that those choosing to respond online could represent businesses that are more engaged with digital technology use and understanding of digitised data. Respondents were not given an upfront choice between these modes (though a small proportion of respondents selected for CATI asked if they could complete the survey online instead). There may be some businesses who, if asked to respond via CATI, would have done so, but elected not to respond to the invitation to the online survey, because of their comfort in using digitised media and vice versa. Both mode effects and sample effects can be observed, to some extent, in the survey data.

Figure is different from the sum of its components due to rounding. ↩
There were no differences between 2021 and 2022 for any countries reported. ↩

Cookies on GOV.UK

Summary

Key findings

Introduction

Code of practice for statistics

Background

Chapter 1: General data use

1.1 Use of any digital data

Figure 1: Percentage of businesses handling digitised data

1.1.1 Use of personal data

Figure 2: Percentage of businesses handling digitised personal data (other than on employees), by sector

1.1.2 Use of non-personal data

1.1.3 Use of employee data

1.2 Businesses’ acquisition and sharing of data

1.2.1 Acquiring data from other businesses and organisations

Figure 3: Percentage of businesses acquiring or collecting data from other businesses or organisations, by business size

1.2.2 Sharing of data

Figure 4: Percentage of businesses sharing data outside their organisation, by business size

Figure 5: The businesses, organisations and groups businesses share data with

Figure 6: The relative overlap of the three main recipients of data sharing

1.2.2.1 Privacy enhancing technologies and data intermediaries

Figure 7: The percentage of businesses that send or receive data using PETs, third parties, or intermediaries to share sensitive data

Figure 8: The percentage of businesses using PETs, third parties, or intermediaries to share sensitive data, by business size

1.3 Data foundations

Figure 9: Businesses assessment of their data

Figure 10: Businesses that agreed (strongly or tended to agree) that their data is interoperable, by business size

1.4 Data skills

Figure 11: Business’ opinion of their data skills meeting their needs, by business size

1.5 Data availability

Figure 12: Business’ opinion whether data has become more readily available in the last three years, by business size

Figure 13: Business’ opinion whether increased availability of data in the last three years has led their business to perform the same functions more efficiently, and whether it has led them to innovate and perform new functions

1.6 Data infrastructure, responsibility and security

1.6.1 Data infrastructure

Figure 14: Data infrastructure used by businesses

Figure 15: The relative overlap of data infrastructure used by businesses

1.6.1.1 Server locations

Figure 16: Locations of servers used by businesses

1.6.1.2 Dependency on servers

Figure 17: Businesses’ dependency on servers

Figure 18: Businesses’ dependency on outsourced or cloud servers, by business size

1.6.2 Handling personal and sensitive data

1.6.2.1 Numbers of people businesses hold personal data on

Figure 19: The number of people businesses hold personal data on, by business size

1.6.2.2 Processing of sensitive personal data

Figure 20: Types of sensitive personal data processed by businesses, by business size

1.6.2.3 Processing of sensitive non-personal data

Figure 21: Types of sensitive non-personal data processed by businesses, by business size

1.6.2.4 Precautions for handling sensitive data

Figure 22: Extra precautions used by businesses handling sensitive data, by business size

Chapter 2: Data protection law

2.1 Perceptions relating to UK data protection law

2.1.1 Processing data protection complaints

Figure 23: Percentage of businesses that have processes in place to deal with data protection complaints from the public

2.1.2 Balance of UK data protection law

Figure 24: Percentage of businesses who feel UK data protection law strikes the right balance between enabling responsible use of data and protecting individuals’ rights

2.1.3 Regulatory guidance published by the ICO

Figure 25: The extent to which businesses find the regulatory guidance published by the ICO clear and easy to understand

2.2 Barriers resulting from unclear guidance to UK data protection law

2.3 Compliance activities, costs, and burdens

2.3.1 Activities undertaken to comply with UK data protection law

Figure 26: Percentage of businesses undertaking activities to comply with UK data protection law in the last 12 months, by business size

Figure 27: Percentage of businesses that employ staff undertaking staff-specific activities to comply with UK data protection law in the last 12 months, by business size

Figure 28: Percentage of businesses who handle personal data undertaking activities specifically relating to processing personal data other than employee data to comply with UK data protection law in the last 12 months, by business size

2.3.2 Time spent complying with UK data protection law

Figure 29: FTE equivalent staff days businesses spend on complying with UK data protection laws, by business size

2.3.3 Perceived burden of complying UK data protection law

2.3.4 Potential disadvantages of complying with UK data protection law

Figure 30: Percentage of businesses experiencing disadvantages whilst complying with UK data protection laws, by business size

2.4 Perceptions of the impact of UK data protection law on domestic trade

Figure 31: Businesses’ perceptions of UK data protection laws as a barrier or enabler of trade with other businesses in the UK, by business size

2.5 Awareness of Information Commissioner’s Office

Figure 32: Percentage of businesses that have heard of the ICO or not, by business size

Figure 33: Percentage of businesses that have heard of the ICO and know what it is, by business sector

2.6 Use of cookies or similar technologies

Figure 34: Percentage of businesses acquiring personal data through the use of cookies or similar technology placed on people’s connected devices, by business size

Chapter 3: Transfer of data internationally

3.1 General international data transfer

Figure 35: Percentage of businesses that transfer (send and/or receive) data internationally, by business size

Figure 36: Percentage of businesses that transfer (send and/or receive) data internationally, by business size

3.2 Types of data, reasons and locations