UK Business Data Survey 2024

Question 1

Executive Summary

Accepted Answer

This report describes results of the third iteration of the UK Business Data Survey (UKBDS), which was conducted for the first time in 2021. The survey is designed to help strengthen the government’s evidence base about the understanding of how data is used, how to balance data privacy and growth and the importance of being able to move data around both domestically and internationally.

Accompanying this publication are data tables, containing most questions asked about in the survey (subject to sample size) and broken down by business size, sector and International Territorial Level (ITL) 1 statistical region. When breakdowns are reported by sector, these are given alongside their Standard Industrial Classification (SIC) codes.

Key findings from the survey include:

General data use

Almost all (99%) businesses with at least 10 employees handled digitised data of any type in 2024, which is effectively unchanged since the 2022 and 2021 UKBDS. Highlighted in Business Population Estimates 2023, these businesses capture the majority of turnover and employment in the UK’s business population
Overall, 77% of UK businesses said that they handled digitised data of any type in 2024. This was a smaller percentage than in the 2022 and 2021 UKBDS (85% and 81%, respectively), attributable mostly to a fall in the share of sole traders and micro businesses that said they handled digitised data of any type
14% of businesses that handled digitised data shared data outside their organisation in 2024, one indicator of more sophisticated data use. 46% of businesses in Finance and Insurance (K) shared data, the highest percentage of any sector included in the survey
Approximately one-fifth (21%) of businesses in 2024, that handled digitised data, analysed data to generate new insights and knowledge
Overall, 2% of businesses in 2024 that handled digitised data used data for either Artificial Intelligence or Automated Decision-Making purposes, rising to 12% for large businesses
Estimates of businesses’ in 2024 online presence suggest more than two-thirds (68%) of UK businesses have a website

Data Infrastructure

35% of businesses that handled digitised data, stored and processed data on their premises in 2024, 19% said they used a public cloud provider and 13% said they used a private cloud provider
10% of businesses that stored and processed data outside the company premises (2% of all UK businesses) experienced server downtime in the past 12 months, with large businesses (27%) more likely to be affected than micro businesses (11%) and sole traders (9%)

Data Protection Law

58% of businesses in 2024 that handled digitised data said they had heard of the Information Commissioner’s Office (ICO) and knew what it was. 16% of businesses that handled digitised data said they had heard of the ICO but did not know what it was
42% of businesses in 2024 that handled digitised personal data agreed the ICO’s regulatory guidance is clear and easy to understand and 12% said they disagreed
9% of businesses in 2024 with websites, that handled personal data of any type, used cookies to acquire personal data
The majority (56%) of these businesses said they acquired personal data using cookies to collect information for statistical purposes about how a website or service is used, with a view to making improvements
7% of businesses in 2024 that handled digitised personal data processed data classified as “special category data”, as defined in the UK GDPR, with larger businesses more likely to have processed this kind of data
75% of businesses in 2024 said it felt like the burden of complying with UK data protection law had stayed the same over the previous 12 months,14% said it had increased, 1% said it had decreased

International Data Flows

9% of businesses that handled digitised data (7% of all UK businesses) transferred data internationally in 2024. Large businesses (36%) and medium businesses (26%) were more likely to transfer data overseas than small businesses (11%), micro businesses (10%) and sole traders (8%).
Among businesses in 2024 that handled digitised personal data, a minority (16%) that traded with the EU/EEA agreed UK data protection laws are a barrier to trade with the EU/EEA. The same percentage of these businesses, that traded with the rest of the world, agreed these laws are a barrier to trade with countries outside the EU/EEA
A small percentage of businesses in 2024 that transferred data internationally (6%) said they encountered issues due to the cost, complexity or transparency of UK data protection law
7 of the 10 most popular countries with which businesses in 2024 transferred data internationally are members of the EU/EEA, the others are the United States of America, Australia and Canada
15% of businesses in 2024 that sent personal data overseas used International Data Transfer Agreements to transfer personal data internationally. 25% used EU Standard Contractual Clauses and 20% used Binding Corporate Rules. Businesses were allowed to specify more than one mechanism for transferring personal data
20% of businesses in 2024 that sent personal data only to the EU/EEA used adequacy regulations

Question 2

Introduction

Accepted Answer

Code of Practice for Statistics

The UK Business Data Survey (UKBDS) is an official statistics publication, and has been produced to the standards set out in the Code of Practice for Statistics.

Background

The Department for Science, Innovation and Technology (DSIT) commissioned the UKBDS 2024 to help the government understand the nature and importance of data use in industry, as well as its potential and realised economic impacts.

The UKBDS 2024 fieldwork was conducted by Ipsos. The topics covered in the survey and discussed in this report include:

The general use, acquisition, sharing and analysis of digitised data
Data infrastructure and dependencies
Awareness of regulatory guidance about data use and compliance with data protection laws
The transfer of data internationally
Variation between businesses in different size, sector and regional categories

Respondents from a total of 3,911 UK businesses took part in this survey between October 2023 and February 2024, with interviews conducted either via Computer Assisted Telephone Interview (CATI) or online. These are the same methods used to interview businesses in the UKBDS 2022, however the UKBDS 2021 only interviewed businesses via CATI. Hence, comparisons between this year’s results and the 2021 report should be treated with additional caution.

The sample of businesses in this survey represents a fraction of the UK business population, meaning the numbers in this report are estimates of a figure’s ‘true’ value. Unless stated otherwise, differences between estimates of the same statistic, in different groups, are only highlighted in this report when they are statistically significant at the 5% level. See appendix B.2 for a discussion about the approach taken to comparing businesses in different groups.

Responses were weighted according to business size and sector to make the sample representative of the UK business population. See the accompanying technical report for a discussion about the weighting procedure and rationale.

Question 3

1 General  data use

Accepted Answer

All businesses were asked whether they handle any type of digitised data, to understand how common the use of digitised data is among UK businesses. The survey also distinguished between and asked all businesses about whether they use each of personal and non-personal data. Finally, businesses with employees were separately asked whether they handle any data on their employees (either personal or non-personal).

Unless otherwise stated, businesses that said they only handled non-digitised data (for example, all businesses with employees must keep certain data on their employees but this does not need to be digitised) or that said they did not handle any data are included in chapter 1.1 but not in later chapters of the report.

1.1 Handling of digitised data

1.1.1 General handling of digitised data

The majority (77%) of UK businesses said they handled digitised data of any type. Large (99%), medium (99%) and small (98%) businesses were more likely to say they handled digitised data than micro businesses (86%) and sole traders (73%).

Figure 1: Percentage of businesses that handled each type of digitised data

Base: 3,911 UK businesses.

Businesses in the Finance and Insurance (K), Mining, Energy and Water (B D E), Real Estate (L), Professional, Scientific, Technical (M) and Information and Communication (J) sectors (97%, 92%, 92%, 91% and 85% respectively) were more likely to handle digitised data than several other sectors.

Figure 2: Percentage of businesses that handled digitised data of any type, by sector

Base: 3,911 UK businesses.

1.1.2 Handling of different types of data

Like in both the 2021 and 2022 UKBDS, businesses were also asked about the different kinds of data they handle. 72% of businesses with employees said they handled any personal or non-personal digitised data about their employees. This compares with 88% of businesses with employees that handled digitised data of any type (including non-employee data).

Large businesses (98%) were more likely to handle digitised employee data than small and micro businesses (92% and 69% respectively)
81% of businesses in Real Estate (L) and 80% in the Professional, Scientific, Technical (M) sector said they handled digitised employee data of any type. This is a larger percentage than 62% of businesses in Wholesale and Retail, Repair of Motor Vehicles (G) and Agriculture, Forestry and Fishing (A) and 61% of businesses in Hotel/Catering (I)

62% of UK businesses said they handled digitised personal data (either of employees or others). 58% of UK businesses said they handled digitised personal data other than employee data.

90% of businesses in Finance and Insurance (K) said they handled digitised personal data other than employee data
This was a larger percentage than every other sector, except for 75% of businesses in Real Estate (L) and 73% in Arts, Entertainment and Recreation (R)
At the tail end, 33% of businesses in Agriculture, Forestry and Fishing (A) and 41% of businesses in Wholesale and Retail, Repair of Motor Vehicles (G) said they handled digitised personal data other than employee data

Roughly half of UK businesses (47%) said they handled any type of non-personal data other than employee data.

Large and medium businesses (86% and 79% respectively) were more likely to handle non-personal data (other than employee data) than small and micro businesses and sole traders (64%, 51% and 46% respectively)
67% of businesses in the Professional, Scientific, Technical (M) sector said they handled non-personal data other than employee data, which is a higher percentage than most other industries

Overall, 31% of UK businesses said they handled both personal and non-personal data, not including data on employees.

Figure 3: The overlap between the percentage of all businesses that handled different types of data

Base: 3,911 UK businesses.

1.2 Data collection and acquisition

This chapter discusses the collection and acquisition of data by businesses, including the types of data collected and the methods used to acquire personal data. Businesses were first asked whether they acquire or collect data from other businesses or organisations.

28% of businesses that handled digitised data of any type said they acquired or collected any data from other businesses or organisations
17% said they acquired or collected personal data
23% said they acquired or collected non-personal data

There was significant variation in the share of businesses that said they acquired digitised data by different business size and sector categories.

62% of large businesses said they acquired data of any type from outside their organisation. This is a larger percentage than in small, micro businesses and sole traders (39%, 34% and 26% respectively)
Large businesses were also more likely to say they acquire personal data (48%) and non-personal data (57%) compared with small, micro businesses and sole traders
Businesses in the Professional, Scientific and Technical (M) sector were more likely to acquire or collect any data (49%), personal data (31%) and non-personal data (41%) than in most other sectors

1.2.1 Data collection using cookies and other technology

Cookies are small files that online services can use to store information on a user’s device. Their use is regulated by the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).

Cookies often contain online identifiers about a user, like their IP address. Online identifiers are not always classified as personal data, however they might be when combined with other pieces of information that help to single out an individual. The processing of any such personal data collected using cookies or alternative technologies is also regulated by the UK GDPR and the Data Protection Act 2018.

Among UK businesses that said they handled digitised personal data (either of employees or others) and that have a website, only 9% said they acquired personal data using cookies.

There are a variety of reasons why businesses that have a website and handle personal data might not acquire personal data using cookies. For instance, not all cookies contain personal data. In addition, some businesses might not need to collect any data using cookies if their website only provides information about their business to customers (and is not used to sell a good or service).

It is also possible some businesses in this survey were not aware their website collects personal data using cookies, especially if they hired third parties for website design and development.

Among businesses that handled digitised personal data (either of employees or others), approximately 1% said they acquire personal data using an app-based tracking technology. 8% of these businesses said they use either cookies or an app-based technology to acquire personal data.^{[footnote 1]}

Large businesses (42%) were the most likely to use cookies compared with 23% of medium businesses, 9% of small businesses, 9% of micro businesses and 9% of sole traders
Large businesses (10%) were also the most likely to use an app-based tracking technology, which compares with 1% of micro businesses
19% of businesses in Information and Communication (J) said they use cookies which was a larger percentage than 2% of businesses in Hotel/Catering (I) and 2% in finance and insurance (K)

Figure 4: Percentage of businesses that used cookies to acquire personal data, by business size

Base: 2,470 UK businesses that handled digitised personal data (either of employees or others).

Businesses that said they use either cookies or an app-based tracking technology to acquire personal data were then asked about the reasons they do this.

The majority (56%) said to collect information for statistical purposes about how a website or service is used, with a view to making improvements
37% said to provide an online service which the user has requested. The same percentage said to facilitate marketing and advertising
23% said they collected data using these methods to facilitate the transmission of communications over a network
19% said for installing necessary security updates
14% of businesses said they do not use the data they collect using cookies

Large businesses (75%) were more likely to say they collect data to ensure user preferences are followed than small businesses (37%), micro businesses (39%) and sole traders (41%).

Figure 5: Reasons businesses acquire personal data using cookies or similar technology placed on people’s connected devices, as a percentage of businesses with each reason

Base: 310 UK businesses that acquired personal data using cookies or similar technology placed on people’s connected devices.

The sharing of data could imply greater sophistication in the use of data by businesses, for instance the sale of raw data products for analysis by other organisations or the sharing of analysis outputs and processed data tables. However, it could also indicate businesses’ increased international presence if they share data overseas. This transfer of data internationally is explored further in Chapter 4.

14% of businesses that handled digitised data of any type shared data (of any type) outside their organisation, with roughly the same percentage (10%) sharing each of personal and non-personal data.

64% of large businesses that handled digitised data of any type also shared data (of any type), which is a larger percentage than medium businesses (41%). In turn, medium businesses were more likely to say they shared any data of any type than small businesses (24%), who were more likely to shared data of any type than micro businesses (16%) and sole traders (13%)
Large businesses were also the most likely to share each of personal data (56%) and non-personal data (57%)
46% of businesses in Finance and Insurance (K) said that they shared data of any type outside their organisation. This is a larger percentage than every other sector included in the survey. This could be explained by the requirement for many businesses in Finance and Insurance to share data with supervisors like the Prudential Regulatory Authority and the Financial Conduct Authority

Figure 6: Percentage of businesses that shared data outside their organisation, by sector

Base: 3,340 UK businesses that handled digitised data of any type.

All businesses are required to share certain information with public sector organisations for tax purposes, and this kind of sharing was not explicitly excluded from the scope of data sharing in the questionnaire. However, it is possible many businesses did not have this kind of sharing in mind when answering the question.

Businesses that said they shared data of any type outside their organisation were asked to give the reasons they shared this data.

15% of these businesses said they shared data for Research and Development purposes
Nearly half (44%) of these businesses said they shared data because of legal or regulatory requirements
38% said they shared data to facilitate the sale of a product or service and 34% shared data because of contractual agreements
A small percentage (3%) said they shared data to sell data directly

34% of large businesses that shared data said they shared data for Research & Development purposes. This was a larger percentage than small businesses (13%), micro businesses (15%) and sole traders (15%).

Figure 7: Reasons businesses share data, as a percentage of businesses with each reason

Base: 660 UK businesses that shared data outside their organisation.
Note: responses add up to more than 100% because businesses were allowed to specify more than one reason.

1.4 Data analysis

All UK businesses that said they handled digitised data of any type were asked whether they analysed data to generate new insights or knowledge.

21% said they analysed data to generate new insights or knowledge
72% of large businesses said they analysed data, which compares with 58% of medium businesses, 34% of small businesses, 22% of micro businesses and 20% of sole traders
31% of businesses in the Finance and Insurance (K) and Human, Health and Social Work (Q) sectors said they analysed data compared to 8% of businesses in the Wholesale and Retail, Repair of Motor Vehicles (G) sector and 10% in the Construction (F) sector

Figure 8: Percentage of businesses that analysed data to generate new insights or knowledge, by sector

Base: 3,340 UK businesses that handled digitised data of any type.

This sectoral breakdown could suggest businesses in the service sectors are more sophisticated in their use of raw data stores and databases to create more advanced data assets, compared with businesses in other sectors.

The greater tendency for larger businesses to analyse data could also reflect resource constraints and less specialization in smaller businesses. For example, the fixed cost of purchasing licenses for some statistical software packages might be something only larger businesses can afford.

1.5 Use of data for Artificial Intelligence and Automated Decision Making

A new question in this year’s survey concerned the use of data for Artificial Intelligence (AI) or Automated Decision Making (ADM) purposes. For the purposes of this survey, AI was defined as “an umbrella term for a range of algorithm-based technologies that solve complex tasks by carrying out functions that previously required human thinking”. ADM was defined as “the process of making a decision by automated means without any human involvement”.

Approximately 1% of businesses that handled digitised data of any type said they used data for AI purposes and the same percentage said they used data for ADM purposes
2% said they used data for either AI or ADM purposes
There is some variation between businesses of different size. 12% of large businesses used data for either purpose. This compared with 2% of sole traders, 2% of micro businesses and 1% of small businesses

The UKBDS 2022 uncovered a positive relationship between a business’s size and the number of individuals on which they have data (this question wasn’t asked in 2024). This suggests a tendency to handle larger datasets, which could explain why large businesses are more likely to use data for AI or ADM purposes.

Figure 9: Percentage of businesses that used data for either Artificial Intelligence or Automated Decision-Making purposes, by size

Base: 3,340 UK businesses that handled digitised data of any type.

1.6 The data market

1.6.1 Website use

A portion of the survey tried to understand and corroborate the findings of previous studies that have described the nature and size of the UK’s data economy. These include The UK Data Driven Market (2024) report, which aims to define and estimate the scale and distribution of UK companies which are “data driven”.

One of the relevant questions in this year’s survey asked each business whether they had a website. Overall, 68% of UK businesses said they did.

Large (99%), medium (97%) and small (93%) businesses were more likely to have a website than micro businesses (74%) and sole traders (65%)
Businesses in the Human, Health and Social Work (Q) and Arts, Entertainment and Recreation sectors (both 86%) were more likely to say they have a website than businesses in many other sectors

Figure 10: Percentage of businesses that had a website, by sector

Base: 3,911 UK businesses.

ONS E-Commerce and ICT activity (2019) contains the most recently published statistics about website ownership in the UK, covering the manufacturing, production and some service sectors. 45% of businesses surveyed were recorded as having either their own, or a third-party website.

However, businesses in Human, Health and Social Work (Q) and Arts, Entertainment and Recreation (R) were notably not covered in that survey. In addition, the COVID-19 pandemic meant greater demand for the provision of online services which might have meant more businesses starting a website. Both these factors could help explain the larger percentage (68%) of businesses that said they have a website in the 2024 UKBDS.

1.6.2 Data suppliers

To investigate trends in data use and production by UK businesses that were reported in the European Data Market (EDM) Study of 2021-2023, our survey asked businesses about the nature of their role in the supply and production of data assets. Businesses that handled digitised data of any type were asked if their main activity is the production and delivery of digitised data-related products, services and technologies, which matches the EDM Study’s definition of a “Data Supplier”.

To make the results of this question comparable with the EDM study, only businesses that agreed to share their Company Registration Number (CRN) are included in the breakdown of results in this report. Businesses that said they did not handle digitised data are also treated as not being classified as data suppliers. This is because the EDM study reported figures for companies only, including businesses that did not handle any digitised data. Responses and breakdowns for all businesses that handled digitised data of any type are reported in the data tables published alongside this report.

Overall, 10% of businesses that provided a CRN said their main activity was the production and delivery of digitised data-related products and were therefore grouped as data suppliers. As expected, the Information and Communication (J) sector had the largest percentage (42%) of ‘data suppliers’ of any sector.

Figure 11: Percentage of companies classified as Data Suppliers, by sector

Base: 2,290 UK businesses that provided a Company Registration Number.
Note: the sample of businesses that provided a Company Registration Number in some sectors was too small to report the percentage classified as Data Suppliers.

Further analysis tried to understand the behaviour of data suppliers in other aspects of data use. It was expected self-classifying data suppliers are more likely to share data outside their organisation, and that a larger percentage of these businesses share data to sell data directly.

Among those businesses that classified themselves as data suppliers:

24% said they shared data outside their organisation which was larger than 13% of businesses that handled digitised data of any type but did not classify themselves as a data supplier. The sample size was too small to comment on whether there wass a difference in the percentage of businesses that said they shared data to sell data directly between data suppliers and non-data suppliers
8% said they used data for either AI or ADM purposes, which was larger than 1% of businesses that handled digitised data of any type, but did not classify themselves as a data supplier

The EDM Study used a different methodology to classify companies as “data suppliers”, which produced a smaller headline percentage of data suppliers in the IT industry. Further research could work to resolve these differences and consolidate an approach to estimating the size of the UK data market’s ‘supply side’ going forward.

1.7 Availability of data and the outcomes of data use

The survey asked businesses that handled digitised data of any type about its availability and outcomes of this data use. Businesses were first asked whether, in the previous three years data had become more available to them.

Figure 12: Percentage of businesses that think data has become more or less available in the previous 3 years, by size

Base: 1,680 UK businesses that handled digitised data of any type.
Note: some categories have been merged to manage small sample sizes. More detailed figures have been included in the data tables that accompany this report when they are based on sufficiently large samples.

26% said data from outside their business had become more readily available
46% said the availability of data outside their business had not changed
8% of businesses said data outside their business had become less readily available in the previous three years

There were limited sector or size differences of statistical significance, in part because approximately half of businesses that handled digitised data of any type were asked this question. Hence, the sample size was too small to detect significant variations.

Businesses were also asked about some of the beneficial outcomes of data use.

9% of businesses that handled digitised data of any type said the use of data led to more efficient internal processes always or most of the time and 16% said some of the time
21% said data use hardly ever yielded more efficient internal processes and half (50%) said it did not at all
4% said data use always or most of the time led to innovation or new business functions and 16% said some of the time
19% said data use hardly ever led to innovation or new business functions and a majority (58%) said it did not at all

Figure 13: Percentage of businesses for which the use of data led to innovation or improved business functions, by size

Base: 1,680 UK businesses that handled digitised data of any type.
Note: some categories have been merged to manage small sample sizes. More detailed figures have been included in the data tables that accompany this report when they are based on sufficiently large samples.

Large businesses were more likely to say data use always or most of the time led to more efficient internal processes (40%) than small (17%) and micro businesses (11%) and sole traders (8%). There were also more likely to say data use always or most of the time led to innovation or new business functions (23%) than small (5%) and micro businesses (4%) and sole traders (4%).

Equally, 53% of sole traders said data use did not at all lead to more efficient internal processes and 61% said data use did not at all yield innovations or improved business functions. This could reflect a lack of resources in smaller businesses to take advantage of data use for improved or new business functions.

Figure 14: Businesses for which the use of data led to more efficient internal processes, by size

Base: 1,680 UK businesses that handled digitised data of any type.
Note: some categories have been merged to manage small sample sizes. More detailed figures have been included in the data tables that accompany this report when they are based on sufficiently large samples.

Partly because approximately half of businesses that said they handled digitised data of any type were asked about the outcomes of data use, the sample size was too small to identify trends in data use across businesses in different sectors.

Further analysis was conducted on the sample of businesses that said data was a lot or a little more readily available in the previous three years.

39% of these businesses said data use led to more efficient internal processes always or most of the time
34% of these businesses said data use led to innovation or new business functions always or most of the time

Question 4

2 Data  infrastructure

Accepted Answer

This chapter addresses businesses’ use and experience of different infrastructures to store and process data.

2.1 Types of data infrastructure

Businesses were asked about the different kinds of infrastructure they use to store and process data.

35% of businesses said they used servers on company premises, including data centres owned by their organisation, to store and process their data
19% said they used a public cloud provider (for example, Amazon Web Services, Google Cloud Platform or Microsoft Azure)
17% said they used a third party via software or a web solution
13% said they used a private cloud provider
5% said they used servers provided by an outsourced IT services company (for example, Fujitsu or Capgemini)
4% said they used company-owned servers in rented space in a data centre
30% said they did not use any of the storage methods listed
5% of respondents said they did not know the kind of server on which their data was stored and processed

Figure 15: Types of data infrastructure used to store and process data, as a percentage of businesses using each type

Base: 1,670 UK businesses that handled digitised data of any type.
Note: Responses sum to more than 100% of the businesses that were asked this question because businesses were allowed to specify more than one kind of infrastructure for storing and processing data.

There was some variation between businesses in different size and sector categories.

Large businesses (29%) were more likely to say they used servers provided by an outsourced company than sole traders (5%), micro businesses (6%) and small businesses (12%)
Large, medium, small and micro businesses were more likely to say they used servers in their office or on premises owned by their business (68%, 65%, 58% and 41% respectively) than sole traders (32%)
45% of businesses in Finance and Insurance (K) said they used a public cloud provider which is a larger percentage than 8% in Agriculture, Forestry and Fishing (A), 11% in Manufacturing (C), 13% in Construction (F) and Wholesale and Retail, Repair of Motor Vehicles (G), 10% in Transport and Storage (H), 4% in Hotel/Catering (I) and 10% in Human, Health and Social Work (Q)

2.1.1 Overlap of different server types

Further analysis tried to understand the range of different infrastructure types used by businesses. Infrastructure types were grouped into three types by the location of their servers:

Businesses that said they stored and processed data on servers owned by the business in a rented space in a data centre, public cloud providers or third party via software or a web solution were grouped as storing data in an external data centre
Businesses that said they stored and processed data on servers in their office, a different building owned by their business or their company’s own data centre were grouped as storing data in an enterprise data centre
Businesses that said they stored and processed data on servers provided by an outsourced IT services company or a private cloud provider were grouped as storing data on an ambiguous server type

Among businesses that handled digitised data of any type:

21% said they stored and processed data just in an enterprise data centre
19% said they stored and processed data just in external data centres
7% said they stored and processed data just on an ambiguous server type
3% said they stored and processed data in all three categories of infrastructure

Figure 16: The overlap between the percentage of businesses that used different types of data infrastructure

Base: 1,670 UK businesses that handled digitised data of any type.

2.2 Server locations

Businesses that said they had servers held outside of their own premises were subsequently asked to provide the geographic location of these servers (if known).

41% of respondents said they have UK-based servers
6% said they have servers in the EU/EEA
5% said they have servers outside the UK and EU/EEA
70% of medium businesses said they have UK-based servers compared with 49% of micro businesses and 37% of sole traders
19% of large businesses said they have servers in the EU/EEA, a higher percentage than small and micro businesses (both 4%)

The greater tendency for larger businesses to say they have servers based in the EU/EEA could reflect their greater tendency to trade with businesses in other countries. For example, the ONS Annual Business Survey estimated 41% of businesses with at least 250 employees were exporters in 2021 compared with 11% of businesses with between 1 and 19 employees. For these businesses, using overseas servers could make it cheaper for some businesses to store and process data about customers in a different country. Some businesses could also be affected by data localisation laws in another country, which can require certain kinds of data about that to be stored and processed within its jurisdiction.

To further test the relationship between trade and storing or processing data overseas, among businesses that stored and processed data outside their premises:

22% that said they traded with the EU/EEA said they have servers located in the EU/EEA. This is higher than 3% of businesses that did not trade with the EU/EEA
17% that said they traded with countries outside the EU/EEA said they have servers located in countries outside the EU/EEA. This is higher than 3% of businesses that did not trade with countries outside the EU/EEA

2.3 Server downtime and disruption

The same group of businesses were asked whether they were affected by server or cloud outages or downtime in the previous 12 months.

Overall, 10% of businesses that said they stored data outside their premises (which equates to 2% of UK businesses) said they were affected by server or cloud outages or downtime
27% of large businesses said they were affected, compared with 9% of sole traders and 11% of micro businesses

Figure 17: Percentage of businesses that were affected by cloud or server outages or downtime in the previous 12 months

Base: 870 UK businesses that have servers located outside of their premises.

Businesses that said they were affected by cloud or server outages or downtime in the previous 12 months were then asked about the impact this had on their business.

10% of businesses said there was a critical impact on their ability to operate
6% said there was a significant impact
26% of businesses said there was a moderate impact
48% said there was a minimal impact
10% said there was no impact

The sample of businesses that were asked this question is too small to infer any meaningful variation between businesses in different size and sector categories.

In the 2024 Cyber Breaches Survey, 50% of businesses were recorded as identifying cyber breaches or attacks in the previous 12 months. This suggests, on average, server or cloud downtime or outages are less common than cyber breaches. However, no direct comparison can be made about the impacts of these incidents.

Figure 18: The percentage of businesses that experienced each degree of impact from server or cloud outages or downtime

Base: 110 UK businesses that experienced server or cloud downtime or outages in the previous 12 months.

Question 5

3 Data  Protection Law

Accepted Answer

This chapter concerns businesses’ awareness of, as well as the activities they have undertaken to comply with UK data protection law.

The Data Protection Act (DPA) 2018 is the framework for data protection law in the UK. It controls how personal information is used by organisations, businesses or the government and is the UK’s implementation of the General Data Protection Regulation (GDPR). It replaces the Data Protection Act 1998.

3.1 The Information Commissioner’s Office

The Information Commissioner’s Office (ICO) is an executive non-departmental public body that upholds information rights in the public interest. The ICO is responsible for enforcing a variety of data-related laws including the Freedom of Information Act 2000 and the Data Protection Act 2018. To help with this, it publishes regulatory guidance for individuals and organisations about complying with these laws.

Among businesses that handled digitised data of any type:

58% said they had heard of the ICO and knew what it was
16% said they had heard of the ICO, but did not know what it was
26% said they hadn’t heard of the ICO
Large businesses (80%) were more likely to say they had heard of the ICO and knew what it was than small (66%) and micro businesses (58%) and sole traders (57%)
Businesses in Finance and Insurance (K) were more likely to say they had heard of the ICO and knew what it is (87%) than businesses in most other sectors

Figure 19: Percentage of businesses that say they have heard of the ICO, by sector

Base: 3,340 UK businesses that handled digitised data of any type.
Note: some data are suppressed due to small numbers, which is why not all categories sum to 100%.

Among businesses that handled personal data (either of employees or others):

42% said they agreed (strongly or somewhat) that the ICO’s published regulatory guidance is clear and easy to understand. 12% said they disagreed (somewhat or strongly) and 32% said they neither agreed nor disagreed.
74% of large businesses said they agreed the ICO’s guidance is clear and easy to understand. This is a larger percentage than sole traders (41%), micro businesses (43%) and small businesses (51%)
66% of businesses in Finance and Insurance (K) agreed the ICO’s regulatory guidance is clear and easy to understand. This is a larger percentage than 22% of businesses in Agriculture, Forestry and Fishing (A), 28% in Construction (F), 30% in Transport and Storage (H), and 31% in Manufacturing (C)

Figure 20: Whether businesses find the regulatory guidance published by the ICO clear and easy to understand, by size

Base: 2,990 UK businesses that handled digitised personal data (either of employees or others).
Note: some categories have been merged to manage small sample sizes. More detailed figures have been included in the data tables that accompany this report when they are based on sufficiently large samples.

3.2 Sensitive types of data

Businesses that said they handled personal data (either of employees or others) were asked what types of sensitive personal data (if any) they process.

10% said they processed children and young people’s data
5% said they processed criminal convictions and offences data

Article 9 of UK GDPR gives special protection to certain types of personal data that are considered particularly sensitive. These are known as “special category data” which includes (but is not limited to) personal data revealing a person’s political opinions, their racial or ethnic origin or their sexual orientation. The processing of such data is prohibited unless specific exemptions in the legislation apply.

Figure 21: Percentage of businesses that processed data classified as special category, by size

Base: 1,490 UK businesses that handled digitised personal data (either of employees or others).

Larger businesses that handled digitised personal data (either of employees or others) were typically more likely to handle each kind of sensitive personal data.

60% of large businesses said they processed special category data. This is a larger percentage than small (15%), micro businesses (7%) and sole traders (6%)
51% of large businesses said they processed children and young people’s data. The same percentage said they processed criminal convictions and offences data
Large businesses were more likely to process each of these types of sensitive data than small, micro businesses and sole traders
39% of businesses in Human, Health and Social Work (Q) said they processed Special Category data, which is a larger percentage than 2% of businesses in Wholesale and Retail, Repair of Motor Vehicles (G), 3% in each of Hotel/Catering (I), Information and Communication (J) and the Professional, Scientific, Technical (M) sector, 10% in Administrative and Support Services (N) and 6% in Arts, Entertainment and Recreation (R)

3.2.1 Reasons for processing special category data

To process personal data of any kind, data controllers (defined in UK GDPR) must identify at least one lawful ground for processing under Article 6 of UK GDPR. To process special category data, they must also identify a separate exemption under Article 9 of UK GDPR, as supplemented by relevant conditions and safeguards in Schedule 1 to the Data Protection Act 2018.

Businesses that processed special category data were asked to give the reasons they processed this data.

45% said they processed special category data for purposes related to health and research
41% said for employment-related purposes
27% said for identification purposes
20% said for purposes related to criminal convictions
20% said for religious purposes
16% said for substantial public interest

A larger percentage of large businesses said they processed special category data for purposes relating to employment (89%) and substantial public interest (61%) than micro businesses (33% and 25%).

The overall pattern of reasons for processing special category data is consistent with the sectoral breakdown of businesses that processed special category data, especially the relatively high percentage of businesses in Human, Health and Social Work (Q) that processed this kind of data.

Figure 22: Reasons businesses process special category data, as a percentage of businesses with each reason

Base: 170 UK businesses that processed special category data.

3.3 Impacts of data protection laws

Businesses that handled digitised personal data were then asked whether they had been prevented from carrying out the following activities, because of UK data protection laws:

Implementation of a new or improved product, process or business model
Using or sharing data due to a legal restriction under UK data protection law
Using or sharing data because of uncertainty that it was permitted under UK data protection law

The majority (90%) said they had not been prevented from carrying out any of the activities listed above. Sole traders (90%), micro businesses (90%) and small businesses (88%) were more likely to say they had not been prevented from doing one of these activities than medium and large businesses (66% and 74% respectively).

1% of businesses said they had been prevented from implementing a new or improved product, process or business model
4% said they had been prevented from using or sharing data due to a legal restriction under UK data protection law
4% said they had been prevented from using or sharing data because of uncertainty that it was permitted under UK data protection law

There was some additional variation between businesses of different size categories. Notably, large businesses (12%) were more likely to say they had been prevented from using or sharing data due to legal restriction under UK data protection law than micro businesses and sole traders (both 3%). This reflects the higher percentage of large and medium businesses that said they shared data outside their organisation, an indicator of more sophisticated data use.

3.4 Data protection compliance

3.4.1 Compliance personnel

Businesses that employ staff and handle digitised personal data (either of employees or others) were subsequently asked whether they have someone in their organisation whose role includes the leading of data protection compliance.

56% of businesses that employ staff and handled digitised personal data (either of employees or others) said they had someone whose role includes leading on data protection compliance
This percentage is higher in large businesses (92%) than small (65%) and micro businesses (54%)
86% of businesses Finance and Insurance (K) said they had someone whose role includes leading on data protection compliance, which is a larger percentage than most other sectors

Figure 23: Percentage of businesses that had someone whose role includes leading on data protection compliance, by sector

Base: 2,360 UK businesses that handled data on their employees.

To help understand the size and extent of businesses’ compliance activities, businesses were also asked how many Full Time Equivalent (FTE) members of staff undertake activities related to complying with UK data protection law as their primary activity.

42% of businesses that handled digitised personal data (either of employees or others) had at least one FTE member of staff whose primary role was to undertake activities related to complying with UK data protection laws
52% said they did not have any FTE staff whose primary role was to undertake activities related to complying with UK data laws. This does not necessarily mean these businesses do not have any staff who undertake activities related to complying with data protection laws

As expected, the percentage of businesses that said they did not have any FTE staff whose primary role was to undertake activities related to complying with UK data protection laws is smaller in large businesses (21%) compared with micro (54%) and small businesses (46%). This could reflect how, in smaller businesses, individual employees are likely to have less specialised roles compared to larger businesses.

Further analysis tried to understand the relative importance of undertaking activities related to complying with UK data protection law, in the role of employees whose role includes leading on data protection compliance.

Among businesses that said they had someone whose role includes leading on activities related to complying with UK data protection laws, 43% said they did not have any FTE members of staff whose main role was to undertake activities related to complying with UK data protection laws. This percentage was higher in micro businesses (44%) than large businesses (21%), which further suggests there is more specialisation in larger businesses’ compliance activities.

Sole traders were instead asked to provide an estimate of how many days they spent on a monthly basis to deal with data protection compliance.

85% of all sole traders that handled personal data said they spent no time dealing with data protection compliance on a monthly basis
10% said either 1 or 2 days
1% said either 3 or 4 days
3% said 11 days or more

3.4.2 Activities undertaken to comply with UK data protection law

All businesses that handled digitised personal data were asked about the measures they had taken in the previous 12 months to comply with UK data protection rules.

Among businesses that handled digitised personal data (either of employees or others) and employ staff:

23% said they ran data protection-related training for existing staff
7% said they employed or outsourced staff to handle data protection requirements
3% said they both outsourced or employed new staff and ran training for existing staff. This could suggest the outsourcing of understanding data protection laws does not perfectly substitute for the training of current staff to understand these laws

Figure 24: The overlap between the percentage of businesses that undertake different staff-related compliance activities

Base: 2,360 UK businesses that handled data on their employees.

Among businesses that handled digitised personal data (other than of employees):

10% said they introduced opt-in consent mechanisms
2% said they had received Subject Access Requests (SARs)

Among businesses that handled digitised personal data (either of employees or others) of any size:

5% said they sought legal advice
13% said they introduced new processes to implement data protection measures
19% said they rewrote or updated terms and conditions
18% said they rewrote, updated or introduced a privacy notice
8% said they purchased specialist software for data protection

Figure 25: The overlap between the percentage of businesses that undertake different compliance activities

Base: 2,990 UK businesses that handled digitised personal data (either of employees or others).

Among businesses that acquired personal data using cookies or similar technology placed on people’s connected devices, 33% said they updated how they manage cookies and tracking technologies used by their business.

Larger businesses were generally more likely to have taken a specified action to comply these rules.

79% of large businesses and 65% of medium businesses said they ran data protection-related training for existing staff, higher than 37% of small businesses and 19% of micro businesses. They were also more likely to employ staff or outsource specialist staff (27%) than small (9%) and micro (6%) businesses
Businesses in every size category were more likely to say they received subject access requests than each smaller category. 65% of large businesses received these requests compared with 32% of medium businesses, 9% of small businesses, 3% of micro businesses and 1% of sole traders

There were also some differences between sectors:

43% of businesses in Human, Health and Social Work (43%) said they ran training for existing staff. This was a larger percentage than in every other sector with the exception 41% in Education (P), 40% in Finance and Insurance (K) and 31% in Real Estate (L)
31% of businesses in Finance and Insurance (K) said they had rewritten or updated terms and conditions, which was a larger percentage than in some other sectors

3.4.2.1 Subject Access Requests

Subject Access Requests are requests made by, or on behalf of an individual for information about their personal data they are entitled to ask for under Article 15 of the UK GDPR. Organisations will generally have a month to respond, though the deadline can be extended by a further two months in relation to complex requests if the reasons for the delay are explained to individual within a month of receipt of the request.

Businesses that said they received SARs in the previous 12 months were then asked how many they had received and refused over the same period. Under UK GDPR, organisations can refuse to respond to a SAR in a limited number of circumstances, including when the request is manifestly unfounded or excessive, or where disclosure of the information could prejudice the organisation’s ability to fulfil certain public interest tasks, such as the prevention or detection of crime.

70% said they received fewer than 5 SARs
21% said they received between 5 and 49
4% said they received 50 or more
74% said they had not refused any of the SARs they received
12% said they had refused all the SARs they received

The sample was too small to draw conclusions about whether larger businesses that received SARs, or businesses in specific sectors, received more SARs or refused a larger percentage. However, note that in chapter 3.4.2 it was found that large businesses weremore likely to receive SARs than smaller business.

Sole traders that handled digitised personal data were asked how much time they spent in training related to UK data protection laws in the last 12 months.

The majority (55%) said they spent less than one hour undertaking such training
15% said from 1 hour to less than 2 hours
9% said from 2 hours to less than 4 hours
4% said from 8 hours to less than 24 hours
1% said from 24 hours to 40 hours
1% said 40 hours or more

Figure 26: Average time sole traders spent in training related to UK data protection law in the previous 12 months, as a percentage of sole traders stating a specific period of time

Base: 640 UK sole traders that handled digitised personal data (either of employees or others).

Businesses that said they ran training for staff in the previous 12 months, to comply with UK data protection rules, were asked about the number of staff receiving training related to UK data protection law.

The majority (61%) of these businesses said at least three-quarters of their staff received training
12% said from 50% to fewer than 75% of staff
11% said from 25% to fewer than 50% of staff
15% said fewer than 25% of staff

The same businesses were also asked to report the average time spent by staff, who received training related to UK data protection law, being trained in the previous 12 months

21% of staff said these staff spent less than 1 hour undertaking this training
41% said from 1 hour to fewer than 2 hours
23% said from 2 hours to fewer than 4 hours
7% said from 4 hours to fewer than 8 hours
3% said from 8 hours to fewer than 24 hours
1% said more than 40 hours

To compare these results to those reported for sole traders, further analysis was conducted. Businesses that said they had not run data protection-related training in the previous 12 months were treated as saying that the average time spent by staff (whose main role is not activities related to data protection compliance) in data protection-related training in the previous 12 months was less than 1 hour. This is a cautious approach to estimating the time spent in data protection-related training and will not pick up on the provision of data protection-related training run by third parties which is not organised by the business.

81% of businesses with employees that handled digitised personal data of any type said staff spent less than 1 hour receiving data protection-related training in the previous 12 months
10% said from 1 hour to less than 2 hours
5% said from 2 hours to less than 4 hours
2% said from 4 hours to less than 8 hours
1% said from 8 hours to less than 24 hours
Less than 1% said more than 40 hours

Figure 27: Percentage of businesses that said the average time spent by staff (who received training related to UK data protection law) being trained in UK data protection law in the previous 12 months is in each given range

Base: 2,250 UK businesses that handled digitised personal data (either of employees or others).
Note: this total does not include businesses that said they either did not know or preferred not to say whether staff had spent time in data protection-related training in the previous 12 months.

Using these adapted results for businesses with employees, it is clear a larger percentage of businesses with employees, that handled digitised personal data, had staff spending less than one hour on average in training related to complying with UK data protection laws, compared with the percentage of sole traders doing the same. This may point to the greater diversity of roles in businesses with employees compared with sole traders.

3.5 Time and money spent on compliance

All businesses that handled digitised personal data were then asked whether they had spent any time or money in the previous twelve months on a variety of activities related to UK data protection law. In 23% of these businesses, in-house staff had spent time on understanding UK data protection laws whereas 5% had outsourced work to a third party to support their understanding of these laws.

68% of large businesses and 61% of medium businesses said in-house staff hadspent time on understanding these laws, which is a larger percentage than sole traders (18%), micro businesses (30%) and small businesses (43%)
21% of large businesses outsourced this work to a third party compared with 5% of sole traders and micro businesses. This suggests larger businesses are more likely to both train in-house staff and outsource staff, instead of smaller businesses being more likely to outsource this work because of constrained in-house capacity. It also reflects the tendency, reported in chapter 3.4.1, for larger businesses to both run training for existing staff and outsource or employ staff to comply with data protection laws
37% of businesses in Finance and Insurance said in-house staff had spent time understanding UK data protection laws. This was a larger percentage than 11% in each of Agriculture, Forestry and Fishing (A), Manufacturing (C) and Transport and Storage (11%) and 14% in Construction (F).

Figure 28: Percentage of businesses at which in-house staff have spent time understanding UK data protection laws in the previous 12 months

Base: 2,990 UK businesses that handled digitised personal data of any type.

Further analysis was undertaken to understand whether there was a link between the time and money spent understanding UK data protection laws, and whether businesses agreed the ICO’s guidance was easy to understand. It was expected that businesses that spent time or money understanding UK data protection laws were more likely to find the ICO’s guidance clear and easy to understand.

62% of businesses that said staff in their organisation had spent time understanding UK data protection laws agreed the ICO’s guidance was easy to understand, compared with 36% of businesses that did not
46% that outsourced work to a third party to support understanding UK data protection laws agreed the ICO’s guidance was easy to understand. The sample is too small to detect if this is a larger percentage than among businesses that did not outsource work

These results suggest in-house resources could be effective in helping businesses understand the ICO’s regulatory guidance, but does not provide the same evidence to suggest this is true of investment in out-of-house resources.

3.5.1 Time spent on compliance

Businesses that said they had staff whose primary role is to undertake activities related to complying with UK data protection laws, and that said staff had spent time understanding UK data protection laws in the previous 12 months were asked how much time staff whose primary role is undertaking activities related to complying with UK data protection laws spent understanding these laws in the same period.

8% said these staff spent less than 1 hour understanding these laws
21% said between 1 and 2 hours
21% said between 2 and 4 hours
14% said between 4 and 8 hours
15% said between 8 and 24 hours
6% said between 24 and 40 hours
8% said 40 hours or more
A larger percentage, 38%, of large businesses said these staff spent 40 hours or more, on average, understanding these laws than small businesses (8%) and micro businesses (6%)

All businesses with employees that handled digitised personal data and said their staff spent time understanding UK data protection law in the previous twelve months were asked to report the number of staff who spent time understanding UK data protection laws in the same period, but whose primary role is not related to complying with UK data protection law.

28% of businesses only staff, whose primary role is to undertake activities related to complying with UK data protection laws, have spent time understanding these laws
5% said around half an FTE staff member
26% said between 1 and 2 members of staff
13% said between 3 and 10 members of staff
2% said 11 or more staff
21% said all staff

30% of micro businesses said none of their staff, whose primary role is not complying with UK data protection law, spent time understanding UK data protection laws in the previous 12 months. This was a larger percentage than small businesses (19%) and large businesses (10%).

3.5.2 Money spent on compliance

Businesses that said they outsourced work to support understanding UK data protection laws in the previous 12 months were asked whether they knew roughly each of how much time and money they had spent on this external support in the previous 12 months.

Businesses that said they knew how much this work costs were asked to report the amount they spent on paid external bodies, contracted staff, lawyers or similar to help their business understand UK data protection laws in the previous 12 months.

42% said this work cost less than £100
26% said it cost at least £100 but less than £600
12% said it cost at least £600 but less than £1,000
18% said it cost £1,000 or more

The sample size was too small to infer any significant differences between businesses in different size or sector categories.

Businesses that said they knew how much time had been spent on external support, but that did not say they knew how much money had been spent, were instead asked to estimate the amount of time spent by this support in helping their business understand UK data protection laws in the previous 12 months. However, the sample was too small to report a breakdown of responses to this question.

3.6 Perceived burden of complying with UK data protection law

All businesses that handled digitised personal data (either of employees or others) were asked whether it felt like the burden of complying with UK data protection laws had changed over the previous 12 months.

14% said the burden of complying with UK data protection law had increased (either a little or a lot)
75% said it had stayed around the same
1% of businesses said it had decreased (either a little or a lot)
9% said they did not know whether the burden had increased, decreased or stayed the same
Large businesses were more likely (32%) to say it felt like the burden had increased than small businesses (18%), micro businesses (17%) and sole traders (12%)
27% of businesses in Human, Health and Social Work (Q) said they felt the burden of complying with data protection laws had increased in the previous twelve months. This is a larger percentage than most other sectors

Figure 29: Percentage of businesses that felt the burden of complying with UK data protection laws in the previous 12 months had increased, stayed around the same or decreased, by size

Base: 2,990 UK businesses that handled digitised personal data (either of employees or others).
Note: some categories have been merged to manage small sample sizes. More detailed figures have been included in the data tables that accompany this report when they are based on sufficiently large samples.

Question 6

4 International  data flows

Accepted Answer

This chapter investigates the flow of data between UK businesses and organisations or people outside of the UK, as well as the factors that promote or limit these international data flows. It also concerns the mechanisms businesses use to make restricted transfers of personal data internationally. See Chapter 4.7 for a discussion of these mechanisms.

4.1 General transfer of data internationally

Overall, 9% of businesses, that said they handled digitised data of any type, said they transferred (either sent or received) data with other organisations outside of the UK. This equates to 7% of all UK businesses.

36% of large businesses and 26% of medium businesses said they transferred data internationally. These are larger than the percentage of small businesses (11%), micro businesses (10%) and sole traders (8%)
38% of businesses in Mining, Energy and Water (B, D, E) said they transferred data internationally which is a larger percentage than the majority of other sectors

Figure 30: Percentage of businesses that transferred data internationally, by sector

Base: 3,340 UK businesses that handle digitised data of any type.

4.1.1 Trade and the transfer of data

Among businesses that handled digitised data of any type and traded with countries outside the United Kingdom, 31% transferred data internationally. A smaller percentage (4%) of businesses that handled digitised data of any type, and did not trade with countries outside the UK, transferred data internationally.

42% of businesses that handled digitised data any type of and traded with countries both inside and outside the EU/EEA said they transferred data with other countries. This is larger than 18% of businesses that only traded with countries in the EU/EEA. 25% of businesses that only traded with countries outside the EU/EEA and handled digitised data said they transferred data with other countries. Note that the sample is too small to detect whether businesses that only traded with countries outside the EU/EEA were more likely to transfer data internationally than businesses that only traded with countries in the EU/EEA.

4.2 Transfer of different types of data

Businesses that handled personal data (either of employees or others) and transferred data internationally were asked whether they sent or received personal data from outside of the UK. 49% said they sent personal data outside of the UK, compared with 59% that received personal data. 35% said they both sent and received personal data from outside the UK.

Among these businesses, large businesses (75%) were more likely to say they sent personal data outside the UK than small (47%) and micro businesses (41%).

Figure 31: The overlap between the percentage of businesses that sent and received personal data from outside the UK

Base: 380 UK businesses that handled digitised personal data (either of employees or others) and transferred data internationally.

Businesses that handled non-personal data (other than of employees) were similarly asked whether they sent or received non-personal data from outside the UK. A higher percentage, 73% said they sent non-personal data outside of the UK, with 77% receiving non-personal data. 62% said they both received and sent non-personal data to countries outside the UK.

Figure 32: The overlap between the percentage of businesses that sent and received personal data from outside the UK

Base: 340 UK Businesses that handled digitised non-personal data (other than employee data) and transferred data internationally.

4.3 Locations with which businesses transfer data internationally

The survey then asked businesses that transferred data internationally about the provenance and purpose of these transfers.

The majority (77%) of these businesses said they sent or received data from countries in the EU or EEA
52% that said they transferred data with countries in North America
37% said they transferred data with countries in the Asia-Pacific region
32% said they transferred data with countries in Europe outside the EU/EEA
20% said they transferred data with countries in the Middle East
10% said they transferred data with countries in Latin America and the Caribbean
9% said they transferred data with countries in Sub-Saharan Africa
8% said they transferred data with countries in North Africa

Figure 33: Regions with which businesses transferred data

Base: 420 UK businesses that transferred data internationally.
Note: responses sum to more than 100% because businesses were allowed to specify more than one region.

Businesses that transferred data internationally were asked to list up to five countries with which they transferred data. The top ten most listed countries are as follows (in order):

United States of America
France
Germany
Spain
Italy
Australia
Netherlands
Canada
Ireland
Belgium

Figure 34: Top ten countries with which businesses transferred data internationally

Base: 390 UK businesses that said they transferred data internationally and specified the regions with which they transfer data.
Note: responses sum to more than 100% because businesses were asked to provide up to five countries with which they transfer data.

The chart below plots the relative popularity of EU/EEA countries as locations with which UK businesses said they transfer data.

Figure 35: Percentage of businesses that transferred (sent or received) data with each country in the EU/EEA

Base: 390 UK businesses that said they transferred data internationally and specified the regions with which they transfer data.
Note: countries for which data is suppressed are shown in grey. Businesses were only asked to provide up to five countries with which they transfer data.

Further analysis tried to understand how the number of countries with which businesses transfer data is distributed.

31% of businesses listed only one country with which they transferred data
12% of businesses listed two
10% of businesses listed three
11% of businesses listed four
27% of businesses listed five

However, note that businesses were only asked to list up to five countries with which they transferred data. Further research could enrich this report’s findings on the distribution of the number of countries with which businesses transfer data internationally, by permitting businesses to list more than 5 countries with which they transfer data.

Figure 36: The number of distinct countries with which businesses transferred data

Base: 390 UK businesses that said they transferred data internationally and specified the regions with which they transfer data
Note: businesses were only allowed to provide up to 5 countries with which they transfer data internationally.

4.4 Perceived burden of UK data protection laws on trade

All businesses that said they handled digitised personal data (either of employees or others) were asked whether they thought UK data protection laws are a barrier to trade with countries outside of the UK.

Roughly half of these businesses neither agreed nor disagreed these laws are a barrier to trade with countries outside the EU/EEA (49%) and a similar percentage (50%) said these laws are not a barrier to trade with countries in the EU/EEA
7% of these businesses strongly or somewhat agreed UK data protection laws are a barrier to trade with countries outside the EU/EEA and 8% strongly or somewhat agree these laws are barrier to trade with countries in the EU/EEA

Larger businesses were more likely to agree the UK’s data protection laws are a barrier to trade with countries outside the EU/EEA (15%) than small (5%) and micro businesses (7%). However, they were also more likely to disagree these laws are a barrier to trade with the EU/EEA than micro businesses (25% compared with 16%). This could reflect the fact larger businesses were more likely to say they agreed the ICO’s regulatory guidance is clear to easy understand, or how larger businesses were more likely to trade with countries outside the UK (as discussed in Chapter 2.2). Both could suggest larger businesses are more certain about the consequences of UK data protection law for their trade with other countries.

Figure 37: Whether businesses agree or disagree that UK data protection laws are a barrier to trade for their business

Base: 2,990 UK businesses that handled digitised personal data (either of employees or others).

Excluding businesses that did not trade with countries outside of the UK, 16% of businesses that traded with the EU/EEA strongly or somewhat agreed data protection laws are a barrier to EU/EEA trade. The same percentage of businesses that traded with countries outside the EU/EEA said they agreed UK data protection laws are a barrier to trade with the rest of the world.

4.5 Experiences transferring data internationally

Businesses that transferred data internationally were asked whether they had encountered any of the following issues when transferring data internationally:

Issues due to cost, complexity or transparency of UK data protection law
Issues due to the cost, complexity or transparency in a country’s local data protection law
Issues due to data localization of the receiving country
Issues due to the cost, complexity or transparency of UK data protection law or the cost or complexity of implementing legal safeguards to transfer personal data

Overall, 83% of businesses said they had not encountered any of these issues when trying to transfer data internationally. 14% said they encountered at least one of these issues.

Among businesses that sent personal data outside the UK, 10% said they encountered issues due to the cost or complexity of implementing legal safeguards to transfer personal data (6% of businesses that transfer data internationally)
6% of businesses that said they transferred data internationally said they had encountered issues due to cost, complexity or transparency or UK data protection law
6% said they had issues due to the cost, complexity or transparency in a country’s local data protection law
4% said they encountered issues due to data localization of the receiving country

Businesses that encountered one or more of these issues were asked whether their experience prevented them from transferring data internationally.

7% said it prevented them from transferring personal data
5% said it prevented them from transferring non-personal data
26% said it prevented them from trading with a business outside of the UK
10% of businesses that had issues due to the cost or complexity of complying with UK data protection law said their experience prevented them from transferring personal data
Among businesses that said they trade with countries outside of the UK, 1% said they had issues transferring data internationally due to data localisation of a receiving country, and that their experience prevented them from trading with a business outside the UK

The sample was too small to infer statistically significant sectoral or size differences in the percentage of businesses that either encountered issues when trying to transfer data internationally, or that said this prevented them from carrying out specific activities.

4.6 Reasons for not transferring data internationally

Businesses that said they did not transfer data internationally were instead asked for the reasons they did not transfer data internationally.

The majority (92%) said they had no need to share data with businesses, organisations or people outside the UK
23% said there was not sufficient value to their business in sharing data internationally
15% said their business did not have the resources to share data internationally
3% said they did not transfer data internationally due to the cost, complexity or transparency of UK data protection law
3% said they did not transfer data internationally due to the cost or complexity of implementing legal safeguards to transfer personal data
2% said they did not transfer data internationally due to the cost, complexity or transparency in another country’s or region’s local data protection law

4.7 Mechanisms for transferring data internationally

The UK GDPR has rules about restricted transfers of personal data to people or organisations based in third countries outside the UK. The transfer of personal data is permitted if the UK has findings of adequacy about the third country. These findings confirm the country, or a specified territory/sector in that country, has an adequate regime for protecting personal data. If the UK does not have these findings, there are various mechanisms that organisations can use to transfer data.

When the UK was a member state of the EU, UK businesses could transfer personal data to an organisation based outside of the EEA using a set of model contracts called Standard Contractual Clauses (SCCs). These contracts were first introduced under the European Commission’s 1995 Data Protection Directive, and later updated in 2021 under its GDPR. These are the European Commission’s “new SCCs”.

In March 2022, SCCs were replaced in the UK by International Data Transfer Agreements (IDTAs) and the International Data Transfer Agreement Addendum to the European Commission’s new Standard Contractual Clauses. In the remainder of this report, the term “EU SCCs” refers to the Addendum. Businesses were still permitted to use either the old EU SCCs, or new SCCs without the Addendum until March 2024.

Neither IDTAs nor the Addendum are required for transferring personal data within a group of multinational enterprises or undertakings. For these purposes, registered companies can use a different set of legal instruments called Binding Corporate Rules (BCRs).

Among businesses that said they sent personal data to countries outside of the UK:

15% said they used International Data Transfer Agreements (IDTAs)
25% said they used EU Standard Contractual Clauses (SCCs)
20% said they used Binding Corporate Rules (BCRs)
19% said they used Adequacy
15% said they used exceptions for exceptional circumstances
49% said they used none of these mechanisms

Figure 38: Percentage of businesses using specific mechanisms for transferring personal data internationally

Base: 190 UK businesses that sent personal data outside the UK.

Note that unlike in previous years, the wording in this year’s survey distinguished between EU SCCs and IDTAs, which were not yet in force when the 2022 or 2021 UKBDS fieldwork was conducted.

As the use of different mechanisms to transfer personal data overseas is governed by UK data protection law, it was anticipated the variety of available mechanisms for transferring personal data overseas could create confusion among businesses that are less familiar with UK data protection laws.

Earlier in this publication, it was also reported businesses with more employees, that handled digitised personal data, were more likely to say they agreed the ICO’s regulatory guidance was clear and easy to understand. We therefore expected a larger percentage of smaller businesses to say they didn’t use any of the tools listed or that they didn’t know which tools they used.

As expected, large businesses (54%) were more likely to say they used IDTAs than micro businesses (11%). They were also more likely (71%) to say they used SCCs than micro businesses and sole traders (14% and 27% respectively), as well as Adequacy (53% compared with 12% and 21% respectively).

Further analysis tried to understand whether these patterns are different in businesses that said they only transferred data with the EU/EEA. It was expected, for example, that businesses that only transferred data with the EU/EEA could be more likely to use adequacy for sending personal data overseas, because the UK government has full findings of adequacy about the EU/EEA but about only a fraction of countries outside the EU/EEA.

Among businesses that sent personal data outside the UK and only transferred data with the EU/EEA:

20% said they used adequacy
17% said they used IDTAs
41% said they used EU SCCs
21% said they used BCRs

The prevalence of mechanisms other than adequacy in these responses could be because businesses were encouraged to prepare for the potential loss of adequacy after the UK left the EU. It is also possible businesses have other reasons for using alternative mechanisms, such as client preferences or uncertainty.

However, the sample size is too small to assess whether these percentages are different from those in businesses that did not say they only transferred data with the EU/EEA.

Further analysis tried to understand the scale and complexity of businesses implementing data transfer mechanisms. Businesses that said they used SCCs to transfer data internationally were asked how many they had implemented in the previous 12 months.

33% said they had not implemented any
39% said they implemented between 1 and 5
Less than 1% said they implemented between 11 and 50
24% said they did not know how many their business had put in place in the previous twelve months

The sample size was too small to draw any significant comparisons between different size or sector categories.

Businesses that knew how many SCCs they had implemented in the previous year gave a spread of timeframes needed to implement one such clause.

47% said one SCC took up to half a working day to implement, with a further 50% saying it took between half a day and 5 working days
Among these businesses, most (62%) said they did not externally contract legal support to implement an SCC

Once again, the number of businesses asked this question was too small to draw meaningful conclusions about variation between businesses in different size or sector categories.

Question 7

5 Comparison  with previous years

Accepted Answer

This chapter summarises some headline comparisons between the results of this year’s UKBDS and the 2022 and 2021 UKBDS. These inter-year comparisons should be treated with particular caution: the 2024 and 2022 UKBDS both used a mix of Computer Assisted Telephone Interview (CATI) and online interviewing methods, however no businesses were interviewed online in the 2021 UKBDS. See Appendix A.5 for a discussion of possible ‘mode effects’ on each year’s results.

5.1 Handling of any digitised data

The vast majority of large, medium and small businesses in 2024 (99%) said they handled digitised data of any type, which is effectively unchanged since the 2022 and 2021 UKBDS. As described in the UK Business Population Estimates 2023, these businesses make up more than two-thirds of employment in the UK’s private sector business population (excluding businesses in Finance and Insurance) and contribute to nearly 80% of its turnover.

Overall, the percentage of businesses that said they handled digitised data of any type in the UKBDS 2024 (77%) is smaller compared with 85% in the UKBDS 2022. We expected this figure to either increase or stay the same between 2022 and 2024 because the share of businesses that said they handled digitised data grew from 81% in the 2021 UKBDS, to 85% in 2022.

This change is largely attributable to a fall in the share of smaller businesses that said they handled digitised data.

A smaller share of micro businesses said they handled digitised data of any type (86% in 2024 compared with 90% in 2022 and 91% in 2021)
In addition, the percentage of sole traders that said they handled digitised data of any type is smaller in 2024 (73%) compared with 2022 (83%), but not smaller than 2021 (76%)

It is also important to highlight that limited scope of this time series means there is insufficient historical data to uncover whether these patterns reflect a downwards trend in data use among businesses. For instance, the higher rates of data use in 2021 and 2022 could reflect the adoption of digitised technologies that businesses only needed during the COVID-19 pandemic. Smaller businesses could also be more likely to temporarily adopt these technologies in the short-term. This might explain why the overall fall in the percentage of businesses that handled digitised data is mostly driven by businesses with fewer than 10 employees.

In addition, the use of digitised data does not always reflect engagement in the digital economy. Many businesses that sell goods and services online, for instance, might not store customer data in a digitised format

Some of the difference between the 2021, 2022 and 2024 results might also be explained, in part, by differences in the composition of the online and CATI samples. See Appendix A for a discussion.

Figure 39: Percentage of businesses that handled digitised data of any type, by size and year

Base: 3,910 UK businesses (2024), 5,086 UK businesses (2022) and 4,500 UK businesses (2021).

Overall, the sectoral breakdown of general data use in this year’s survey replicates the higher rates of data use in the UK’s service sectors (compared with its construction, agriculture and production sectors) observed in the 2022 and 2021 UKBDS surveys.

5.2 Further inter-year comparisons

The following tables summarise the other comparisons between the 2024 UKBDS and the 2022 and 2021 publications. Note that any differences are reported only when the question wording and structure are the same each year.

Table 1: Comparable questions between the 2021, 2022 and 2024 UK Business Data Surveys

Differences in:	2021 total	2022 total	2024 total
Chapter 1 General Data Use
Percentage of businesses that handled digitised personal data (other than employee data)	65%	63%	58%
Percentage of businesses that handled any non-personal data (other than employee data)	-	52%	47%
Percentage of businesses that analysed data	26%	N/A	21%
Chapter 3: Data Protection Law
Percentage of businesses that ran data protection-related training for existing staff	N/A	29%	23%
Percentage of businesses that introduced opt-in consent mechanisms	N/A	18%	10%
Percentage of businesses that sought legal advice to comply with data protection laws	N/A	8%	5%
Percentage of businesses that introduced new processes to implement data protection measures	N/A	20%	13%
Percentage of businesses that rewrote or updated T&Cs	N/A	29%	19%
Percentage of businesses that rewrote, updated or introduced a privacy notice	N/A	29%	18%
Percentage of businesses that felt the burden of UK protection laws has increased in the previous 12 months	N/A	22%	14%

Note: 2022 and 2021 figures which are not significantly different from 2024 are denoted by ‘-’. When businesses were not asked a question in 2022 or 2021, this is denoted using ‘N/A’

Most questions about data infrastructure and international data transfers were structured and worded differently in 2024 compared with each of 2022 and 2021, which meant the number of comparable questions on these topics is small. There are no further differences to highlight between all businesses that were asked these questions.

Question 8

6 Regional  differences

Accepted Answer

The survey collected information about the region in which respondents to the survey were based. Where the sample size is sufficiently large, it is possible to explore variation in the results across different regions of the UK.

Like in the 2021 and 2022 UKBDS reports, there were very few statistically significant differences between regions. It is also possible some of these differences are driven by variation in the percentage of businesses in each size and sector category (see the ONS Business: activity, size and location dataset). Therefore, it is difficult to draw any meaningful conclusions from these differences.

The data tables accompanying this report contain full regional breakdowns of the results for most questions, as well as the confidence intervals for these breakdowns.

Question 9

Appendix

Accepted Answer

A Methodology

A.1 Overview

Respondents from a total of 3,911 UK businesses were interviewed for this survey between October 2023 and February 2024 either via Computer Assisted Telephone Interview (CATI) or an online self-completion form.

The sample was chosen to give robust coverage of businesses in each UK region, business size and sector category. Responses were weighted according to business size and sector to make the sample representative of the UK business population.

See the attached technical report for more information about the sample selection and weighting procedure.

A.2 Definition of Digitised Data

As described in the accompanying technical report, businesses were asked whether they handle any digitised data, of which they were given the following definition:

“Digitised information that your organisation may hold, for example things such as financial records and names and addresses of employees and customers. All businesses use data in some form, and we are interested in speaking with all businesses even if you only deal with a small amount of digitised data.”

The survey was tailored to the handling of digitised data, although the handling of non-digitised personal information (like paper records) is also subject to UK data protection law.

A.3 Business size, sector and regional categories

In this publication, businesses are categorised by sector according to their Standard Industrial Classification (SIC) 2007 codes. For more information about these codes, please see the Office for National Statistics’ (ONS) web page.

Like in the 2022 and 2021 UKBDS publications, businesses are grouped by size into the following categories:

sole traders (0 employees)
micro businesses (1 to 9 employees)
small businesses (10 to 49 employees)
medium businesses (50 to 249 employees)
large businesses (250 employees or more)

Regional categories are determined using International Territorial Level (ITL) classification. Every business is assigned one of the 12 ITL 1 subdivisions. For more information about these codes, please see the ONS’ web page on International Geographies.

A.4 Modularised Survey Questions

As described in the technical report, questions about the outcomes of data use, data infrastructure and sensitive personal data were modularised. This approach meant the survey could collect data on a larger range of topics without asking each business too many questions.

Businesses that said they handled digitised data of any type were randomly assigned to one of two groups. Businesses in Module ‘A’ were then asked questions about the sensitive types of data they handle. Businesses assigned Module ‘B’ were asked about the infrastructure they use to store and process data. Random assignment means the results of these questions are still representative of the wider sample and, with appropriate weighting, the UK business population.

A.5 Mode Effects

Like in the 2022 UKBDS, this year the fieldwork was conducted in two modes: businesses were interviewed either via computer assisted telephone interview (CATI) or via an online questionnaire. In 2021, businesses were only interviewed using CATI.

Further analysis tried to understand if the smaller percentage of businesses that said they handled digitised data of any type in 2024 was the product of interviewing more, or a different sample of businesses using CATI rather than online, compared with 2022.

This is because there is a chance that businesses that chose to answer survey questions online are more engaged with the use of digitised data and technology, and better understand whether and how their business uses digitised data.

Overall, the percentage of businesses interviewed via CATI was slightly larger in 2024 and 2022 (77% and 72% respectively). However, the change in methodology from interviewing every business using CATI in 2021, to interviewing businesses with a mixture of CATI and the online questionnaire produced only had a small influence. Therefore, it is likely any changes in sample composition between 2022 and 2024 also had a small effect.

For a discussion of the effects of methodology changes between the 2021 and 2022 UKBDS, see the 2022 report.

B Interpreting the data

B.1 Uncertainty when estimating results

The sample of businesses that responded to the survey is only a fraction of all UK businesses. This means it is not possible to say for certain whether the statistics reported in this publication are representative of the ‘true’ values in the UK business population.

However, it is possible to calculate the probability that the true value lies within a given range, or “confidence interval” of the sample statistic. This is calculated using the number of respondents or ‘observations’ in the sample and the percentage of observations that give each response to a question. Confidence intervals are expressed in percentage terms: there is a 95% probability that a figure’s true value lies in the 95% confidence interval of its sample statistic.

Confidence intervals can be depicted using ‘error bars’ on bar charts of the responses to a question, which are demonstrated below in an example. 65% of respondents in a hypothetical sample were reported as saying ‘Yes’, but there is a 95% probability the true population figure lies between 45% and 85%.

Figure 40: An example showing how to interpret confidence intervals on a bar chart

B.2 Reporting differences between groups

Throughout this report, there are comparisons between the percentage of businesses in two different groups that gave each response to a particular question. For example, large businesses with employees (98%) are reported as being more likely to handle employee data than small and micro businesses (92% and 69% respectively).

Such comparisons are only highlighted if the difference between two estimates is statistically significant. The reporting threshold in this publication is the 5% significance level, meaning the probability two different estimates are really the same value is less than 5%.

B.3 Treatment of small samples

If there are too few responses to a question, sample percentages can be misleading estimates of the true population figure. For this reason and to prevent the disclosure of individual results, some figures in the attached output tables are suppressed.

Note that each time the number of respondents to a question is reported (including in the attached output tables and the charts contained in this report), this has also been rounded to prevent the disclosure of individual results.

This is smaller than the percentage of businesses with websites who acquire personal data using cookies, because businesses without websites are included in the base for this figure. ↩

Cookies on GOV.UK

Executive Summary

General data use

Data Infrastructure

Data Protection Law

International Data Flows

Introduction

Code of Practice for Statistics

Background

1 General data use

1.1 Handling of digitised data

1.1.1 General handling of digitised data

1.1.2 Handling of different types of data

1.2 Data collection and acquisition

1.2.1 Data collection using cookies and other technology

1.3 Data sharing

1.3.1 Reasons for sharing data

1.4 Data analysis

1.5 Use of data for Artificial Intelligence and Automated Decision Making

1.6 The data market

1.6.1 Website use

1.6.2 Data suppliers

1.7 Availability of data and the outcomes of data use

2 Data infrastructure

2.1 Types of data infrastructure

2.1.1 Overlap of different server types

2.2 Server locations

2.3 Server downtime and disruption

3 Data Protection Law

3.1 The Information Commissioner’s Office

3.2 Sensitive types of data

3.2.1 Reasons for processing special category data

3.3 Impacts of data protection laws

3.4 Data protection compliance

3.4.1 Compliance personnel

3.4.2 Activities undertaken to comply with UK data protection law

3.4.2.1 Subject Access Requests

3.4.3 Compliance-related training

3.5 Time and money spent on compliance

3.5.1 Time spent on compliance

3.5.1.1 Time spent on compliance by staff whose primary role is related to compliance with UK data protection laws

3.5.1.2 Time spent on compliance by staff whose primary role is not related to compliance with UK data protection laws

3.5.2 Money spent on compliance

3.6 Perceived burden of complying with UK data protection law

4 International data flows

4.1 General transfer of data internationally

4.1.1 Trade and the transfer of data

4.2 Transfer of different types of data

4.3 Locations with which businesses transfer data internationally

4.4 Perceived burden of UK data protection laws on trade

4.5 Experiences transferring data internationally

4.6 Reasons for not transferring data internationally

4.7 Mechanisms for transferring data internationally

5 Comparison with previous years

5.1 Handling of any digitised data

5.2 Further inter-year comparisons

6 Regional differences

Appendix

A Methodology

A.1 Overview

A.2 Definition of Digitised Data

A.3 Business size, sector and regional categories

A.4 Modularised Survey Questions

A.5 Mode Effects

B Interpreting the data

B.1 Uncertainty when estimating results

B.2 Reporting differences between groups

B.3 Treatment of small samples

Is this page useful?

Help us improve GOV.UK

Help us improve GOV.UK