Research and analysis to quantify the benefits arising from personal data rights under the GDPR – August 2017

Practice area: Business analytics | Consumer and firm behaviour | Consumer markets and protection | ICT | Internet/New Economy | Privacy and security | Public Policy | Remedies and enforcement
Client: Department for Culture, Media and Sport
Published: 07 August, 2017
Keywords: modelling qualitative analysis quantitative analysis stakeholder surveys and consultations
The act of disclosing personal data typically takes place in an environment of incomplete and asymmetric information. This explains the crucial role of consumer confidence in enabling transactions that involve the disclosure of personal data.
LE’s study for DCMS investigates the benefits of new individual rights introduced by the European General Data Protection Regulation (GDPR) through a review of secondary evidence and:
  • an online survey of 250 individuals with data protection responsibility at their place of work (professionals survey);
  • an online survey of 503 individuals including a choice experiment allowing for valuation of data rights (consumer choice experiment);
  • three online forums with individuals with data protection responsibility at their place ofwork;
  • seven in-depth interviews with senior data professionals in UK businesses.
The study uses a choice experiment to elicit realistic, context-specific valuations of GDPR rights for three common data-intensive transactions: retail store loyalty cards, electricity smart meters and rewards for health & lifestyle monitoring in health insurance contracts.
The consumer choice experiment finds that individuals are willing to forego savings of roughly 5% to 10% on weekly spending on shopping, monthly spending on electricity or monthly spending on health insurance in order to have the rights enshrined in the GDPR.
The study finds stronger regulatory framework is likely to mitigate the effect of a localised loss of trust, by reassuring consumers that companies in general are incentivised (through rights that allow user control etc.) to keep data safe, and to react to a loss event by strengthening security.