UK organisations still falling short on GDPR compliance, benchmark report finds

Analysis of more than 60 organisations shows widespread gaps in privacy by design, accountability and data subject rights across multiple sectors

UK organisations continue to show significant weaknesses in core data protection practices, particularly in privacy by design and accountability, according to a new study.

The GDPR Benchmark Report 2025, published by GRC Solutions, analyses GDPR gap-assessment data from more than 60 organisations across eight sectors.

Despite the General Data Protection Regulation entering its eighth year of enforcement, many organisations were found to remain at a “limited” or “developing” level of assurance across key control areas.

The report evaluates performance across nine GDPR control areas including governance, risk management, information management system maturity, defined roles and responsibilities, personal information management system (PIMS) implementation and data subject rights.

Technology companies outperform other sectors, supported by widespread adoption of ISO 27001 and ISO 27701, in-house expertise and established privacy and compliance functions.

Even in this sector, however, privacy by design remains in the “developing” range, suggesting ongoing difficulty in embedding data protection into systems and products at the design stage.

Construction and manufacturing show among the lowest levels of GDPR maturity. Construction organisations score well in governance and risk management but perform poorly in privacy by design, PIMS and data subject rights. Manufacturing records the lowest sector score in the report, with 3.9 out of 10 for data subject rights.

Heavily regulated sectors also show gaps. In finance, GDPR responsibilities are often absorbed into broader compliance functions, resulting in weak scores for privacy by design, PIMS and training, despite stronger performance in risk management and data subject rights. And health sector organisations show low scores for scope of compliance, often linked to weak contract management and limited due diligence on third parties.

Hospitality, retail and public and non-profit organisations also continue to struggle, according to the findings. Performance in hospitality and retail is described as highly variable, while the public and non-profit sector records some of the lowest scores in the report for information management system maturity.

Nearly a third (30 per cent) of UK charities experienced a cyber attack in the past year, citing the UK Government Cyber Security Breaches Survey 2025, the report adds.

Across all sectors, the report identifies three recurring weaknesses: lack of formal responsibility and accountability for GDPR activities, insufficient training and awareness, and poorly implemented or non-existent PIMS programmes.

Louise Brooks, the Head of Privacy Consultancy at GRC Solutions, said: “Due diligence on third parties is often lacking which means organisations have limited assurance that any personal data accessed by those partners will be handled securely.

“Getting this right clarifies roles and responsibilities, reduces the likelihood of incidents and personal data breaches and protects organisations from liability.”

She added: “When resources are limited, we often see organisations cut compliance budgets first but this is short-sighted. Data protection and information security compliance have never been more important.”

READ MORE: ‘Cracking open the black box: why AI-powered cybersecurity still needs human eyes’. As phishing threats accelerate, the next stage of defence requires transparent systems, accountable decision-making, and AI that is continually strengthened through human verification.

Do you have news to share or expertise to contribute? The European welcomes insights from business leaders and sector specialists. Get in touch with our editorial team to find out more.

_{Main image: Element5 Digital/Pexels}