UK organisations still falling short on GDPR compliance, benchmark report finds
John E. Kaye
- Published
- News, Technology

Analysis of more than 60 organisations shows widespread gaps in privacy by design, accountability and data subject rights across multiple sectors
UK organisations continue to show significant weaknesses in core data protection practices, particularly in privacy by design and accountability, according to a new study.
The GDPR Benchmark Report 2025, published by GRC Solutions, analyses GDPR gap-assessment data from more than 60 organisations across eight sectors.
Despite the General Data Protection Regulation entering its eighth year of enforcement, many organisations were found to remain at a “limited” or “developing” level of assurance across key control areas.
The report evaluates performance across nine GDPR control areas including governance, risk management, information management system maturity, defined roles and responsibilities, personal information management system (PIMS) implementation and data subject rights.
Technology companies outperform other sectors, supported by widespread adoption of ISO 27001 and ISO 27701, in-house expertise and established privacy and compliance functions.
Even in this sector, however, privacy by design remains in the “developing” range, suggesting ongoing difficulty in embedding data protection into systems and products at the design stage.
Construction and manufacturing show among the lowest levels of GDPR maturity. Construction organisations score well in governance and risk management but perform poorly in privacy by design, PIMS and data subject rights. Manufacturing records the lowest sector score in the report, with 3.9 out of 10 for data subject rights.
Heavily regulated sectors also show gaps. In finance, GDPR responsibilities are often absorbed into broader compliance functions, resulting in weak scores for privacy by design, PIMS and training, despite stronger performance in risk management and data subject rights. And health sector organisations show low scores for scope of compliance, often linked to weak contract management and limited due diligence on third parties.
Hospitality, retail and public and non-profit organisations also continue to struggle, according to the findings. Performance in hospitality and retail is described as highly variable, while the public and non-profit sector records some of the lowest scores in the report for information management system maturity.
Nearly a third (30 per cent) of UK charities experienced a cyber attack in the past year, citing the UK Government Cyber Security Breaches Survey 2025, the report adds.
Across all sectors, the report identifies three recurring weaknesses: lack of formal responsibility and accountability for GDPR activities, insufficient training and awareness, and poorly implemented or non-existent PIMS programmes.
Louise Brooks, the Head of Privacy Consultancy at GRC Solutions, said: “Due diligence on third parties is often lacking which means organisations have limited assurance that any personal data accessed by those partners will be handled securely.
“Getting this right clarifies roles and responsibilities, reduces the likelihood of incidents and personal data breaches and protects organisations from liability.”
She added: “When resources are limited, we often see organisations cut compliance budgets first but this is short-sighted. Data protection and information security compliance have never been more important.”
READ MORE: ‘Cracking open the black box: why AI-powered cybersecurity still needs human eyes’. As phishing threats accelerate, the next stage of defence requires transparent systems, accountable decision-making, and AI that is continually strengthened through human verification.
Do you have news to share or expertise to contribute? The European welcomes insights from business leaders and sector specialists. Get in touch with our editorial team to find out more.
Main image: Element5 Digital/Pexels
TOP STORIES
-
Humanoid robots could become the next K-pop stars -
Hormuz flashpoint keeps global shipping on high alert -
Scientists to gather in Lisbon to tackle next pandemic threats -
Burnham warned digital exclusion is now a national security risk -
Masts from Kent ‘doomsday wreck’ to be cut to prevent catastrophic explosion -
GigaCloud and Cubbit launch sovereign cloud storage for Ukraine and Poland -
Tributes paid to ‘forthright and fearless’ Ann Widdecombe -
Boeing to debut Ghost Bat drone at Farnborough Airshow -
Reeves opens ‘£2bn lifeline’ for small firms -
Babymoon boom: Rhodes crowned 2026's top pre-baby escape as Salcombe leads UK getaway list -
Xavier Niel to become Vodafone’s largest shareholder in £4.4bn deal -
Two-thirds of lawyers say strong legal claims are dropped because of cost -
UK government must "think again" about small business plan -
Lockheed Martin pushes European missile expansion at NATO summit -
Britain's new homes face 2050s heat test as experts warn of overheating crisis -
Sky agrees £1.6bn deal to buy ITV’s broadcasting and streaming arm -
Scientists crack dinosaur egg mystery by building life-size nest -
Nobel laureate Omar Yaghi launches global science network -
Cardiff drivers safest in Britain as London comes last -
Former Kyndryl Germany boss joins Infinigate in growth role -
Volunteers collect 11m rare seeds to restore Scotland’s native forests -
Trump threatens 'immediate 100pc tariffs' on European countries over tech taxes -
World’s biggest golf tour lands global eSIM deal with Yesim -
Facebook owner Meta signs Texas solar deal with Turkish renewables firm -
UK universities take top four places in European global rankings



























