A survey conducted in April and May 2023 revealed that around ** percent of the companies that do business in the European Union (EU) and the United Kingdom (UK) found it challenging to adapt to new or changing requirements of the General Data Protection Regulation (GDPR) or Data Protection Act 2018 (DPA). A further ** percent of the survey respondents said it was challenging to increase the budget because of the changes in the data privacy laws.

A survey conducted in April and May 2023 among companies that do business in the European Union and the United Kingdom (UK) found that over half of the respondents, 53 percent, felt very prepared for the General Data Protection Regulation (GDPR). A further 35 percent of the companies believed they were moderately prepared, while 10 percent said they were slightly ready to comply with the EU and UK privacy legislations.

As of February 2025, the largest fine issued for violation of the General Data Protection Regulation (GDPR) in the United Kingdom (UK) was more than 22 million euros, received by British Airways in October 2020. Another fine received by Marriott International Inc. in the same month was the second-highest in the UK and amounted to over 20 million euros.

This dataset is a central catalogue of Data Protection Impact Assessments (DPIAs) of smart city projects that collect personal information in public spaces. By publishing this in one place for the first time, it will enable public transparency and support good practice among operators. A DPIA helps to identify and minimise the risks of a project that uses personal data. Further information: DPIA registration form: https://www.london.gov.uk/dpia-register-form Information Commissioner DPIA: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/

Between 2018 and 2022, there has been a significant increase in the level of awareness around the General Data Protection Regulation (GDPR) among European users. In 2018, when the GDPR was first applied, the United Kingdom had the highest level of awareness, with 32 percent of respondents agreeing or strongly agreeing with the statement: "I am aware of the new General Data Protection Regulation (GDPR) that will be introduced in May 2018". In 2022, the share of UK respondents agreeing with the statement increased to 73 percent. France had the lowest level of awareness in 2018, 20 percent, whereas in 2022 it reached 47 percent but remained the lowest among other European markets.

Whilst this some of the requested information is held by the NHSBSA, we have exempted some of the figures under section 40(2) subsections 2 and 3(a) of the FOIA because it is personal data of applicants to the VDPS. This is because it would breach the first data protection principle as: a - it is not fair to disclose individual’s personal details to the world and is likely to cause damage or distress. b - these details are not of sufficient interest to the public to warrant an intrusion into the privacy of the individual. https://www.legislation.gov.uk/ukpga/2000/36/section/40 Information Commissioner Office (ICO) Guidance is that information is personal data if it ‘relates to’ an ‘identifiable individual’ regulated by the UK General Data Protection Regulation (UK GDPR) or the Data Protection Act 2018. The information relates to personal data of the VDPS claimants and is special category data in the form of health information. As a result, the claimants could be identified, when combined with other information that may be in the public domain or reasonably available. Online communities exist for those adversely affected by vaccines they have received. This further increases the likelihood that those may be identified by disclosure of this information. Section 40(2) is an absolute, prejudice-based exemption and therefore is exempt if disclosure would contravene any of the data protection principles. To comply with the lawfulness, fairness, and transparency data protection principle, we either need the consent of the data subject(s) or there must be a legitimate interest in disclosure. In addition, the disclosure must be necessary to meet the legitimate interest and finally, the disclosure must not cause unwarranted harm. The NHSBSA has considered this and does not have the consent of the data subjects to release this information and believes that it would not be possible to obtain consent that meets the threshold in Article 7 of the UK GDPR. The NHSBSA acknowledges that you have a legitimate interest in disclosure of the information to provide the full picture of data held by the NHSBSA; however, we have concluded that disclosure of the requested information would cause unwarranted harm and therefore, section 40(2) is engaged. This is because there is a reasonable expectation that patient data processed by the NHSBSA remains confidential, especially special category data. There are no reasonable alternative measures that could meet the legitimate aim. As the information is highly confidential and sensitive, it outweighs the legitimate interest in the information. Section 41 FOIA This information is also exempt under section 41 of the FOIA (information provided in confidence). This is because the requested information was provided to the NHSBSA in confidence by a third party - another individual, company, public authority or any other type of legal entity. In this instance, details have been provided by the claimants. For Section 41 to be engaged, the following criteria must be fulfilled:

Since the enforcement of the General Data Protection Regulation (GDPR) in May 2018, fines have been issued for several types of violations. As of February 2025, the most significant share of penalties was due to companies' non-compliance with general data processing principles. This violation has led to over 2.4 billion euros worth of fines.

BackgroundThe COVID-19 pandemic brought global disruption to health, society and economy, including to the conduct of clinical research. In the European Union (EU), the legal and ethical framework for research is complex and divergent. Many challenges exist in relation to the interplay of the various applicable rules, particularly with respect to compliance with the General Data Protection Regulation (GDPR). This study aimed to gain insights into the experience of key clinical research stakeholders [investigators, ethics committees (ECs), and data protection officers (DPOs)/legal experts working with clinical research sponsors] across the EU and the UK on the main challenges related to data protection in clinical research before and during the pandemic.Materials and methodsThe study consisted of an online survey and follow-up semi-structured interviews. Data collection occurred between April and December 2021. Survey data was analyzed descriptively, and the interviews underwent a framework analysis.Results and conclusionIn total, 191 respondents filled in the survey, of whom fourteen participated in the follow-up interviews. Out of the targeted 28 countries (EU and UK), 25 were represented in the survey. The majority of stakeholders were based in Western Europe. This study empirically elucidated numerous key legal and ethical issues related to GDPR compliance in the context of (cross-border) clinical research. It showed that the lack of legal harmonization remains the biggest challenge in the field, and that it is present not only at the level of the interplay of key EU legislative acts and national implementation of the GDPR, but also when it comes to interpretation at local, regional and institutional levels. Moreover, the role of ECs in data protection was further explored and possible ways forward for its normative delineation were discussed. According to the participants, the pandemic did not bring additional legal challenges. Although practical challenges (for instance, mainly related to the provision of information to patients) were high due to the globally enacted crisis measures, the key problematic issues on (cross-border) health research, interpretations of the legal texts and compliance strategies remained largely the same.

BackgroundThe COVID-19 pandemic brought global disruption to health, society and economy, including to the conduct of clinical research. In the European Union (EU), the legal and ethical framework for research is complex and divergent. Many challenges exist in relation to the interplay of the various applicable rules, particularly with respect to compliance with the General Data Protection Regulation (GDPR). This study aimed to gain insights into the experience of key clinical research stakeholders [investigators, ethics committees (ECs), and data protection officers (DPOs)/legal experts working with clinical research sponsors] across the EU and the UK on the main challenges related to data protection in clinical research before and during the pandemic.Materials and methodsThe study consisted of an online survey and follow-up semi-structured interviews. Data collection occurred between April and December 2021. Survey data was analyzed descriptively, and the interviews underwent a framework analysis.Results and conclusionIn total, 191 respondents filled in the survey, of whom fourteen participated in the follow-up interviews. Out of the targeted 28 countries (EU and UK), 25 were represented in the survey. The majority of stakeholders were based in Western Europe. This study empirically elucidated numerous key legal and ethical issues related to GDPR compliance in the context of (cross-border) clinical research. It showed that the lack of legal harmonization remains the biggest challenge in the field, and that it is present not only at the level of the interplay of key EU legislative acts and national implementation of the GDPR, but also when it comes to interpretation at local, regional and institutional levels. Moreover, the role of ECs in data protection was further explored and possible ways forward for its normative delineation were discussed. According to the participants, the pandemic did not bring additional legal challenges. Although practical challenges (for instance, mainly related to the provision of information to patients) were high due to the globally enacted crisis measures, the key problematic issues on (cross-border) health research, interpretations of the legal texts and compliance strategies remained largely the same.

In September 2024, the Irish Data Protection Commission fined Meta Ireland 91 million euros after passwords of social media users were stored in 'plaintext' on Meta's internal systems rather than with cryptographic protection or encryption. In May 2023, the EU fined Meta 1.2 billion euros for violating laws on digital privacy and putting the data of EU citizens at risk through Facebook's EU-U.S. data transfers. European privacy legislation is seen as being far stricter than American privacy law, and the sending of EU citizens’ data to the United States resulted in the record breaking penalty being issued to the tech giant. In January 2023, after it was discovered that Meta Platforms had improperly required that users of Facebook, Instagram, and WhatsApp accept personalized adverts to use the platforms, the company was issued a 390 million euro fine by the European Commission. EU regulators claim that the social media giant broke the General Data Protection Regulation (GDPR) by including the demand in its terms of service. In addition, Meta was fined 405 million euros by the Irish Data Protection Commission (DPC) in September 2022 for violating Instagram's children's privacy settings. In November 2022, the DPC fined Meta a further 265 million euros for failing to protect their users from data scraping. GDPR violations in 2022 Social media sites and companies are not the only types of online services upon which users' data can potentially be compromised. In 2022, the online service with the biggest fine for violating GDPR was e-commerce and digital powerhouse Amazon, which was issued a 746 million euro fine. Furthermore, in December 2021, Google was penalized 90 million euros for GDPR violations. What are the most common GDPR violations? Since GDPR went into effect in May 2018, fines have been imposed for a variety of reasons. As of June 2022, companies' non-compliance with general data processing principles accounted for the largest share of fines, resulting in over 845 million euros worth of penalties. Insufficient legal basis for data processing was the second most common violation, amounting to 447 million euros in fines.

GDPR Services Market size was valued at USD 1.6 Billion in 2024 and is projected to reach USD 7.3 Billion by 2031, growing at a CAGR of 22.45% from 2024 to 2031.

Global GDPR Services Market Drivers

Increased Regulatory Enforcement: Stricter enforcement of the GDPR by regulatory authorities has increased the pressure on organizations to comply with its provisions. Data Breaches and Fines: The significant fines imposed on organizations that violate GDPR have raised awareness of the risks associated with non-compliance. Consumer Awareness and Data Privacy Concerns: Consumers are becoming more aware of their data privacy rights and are demanding greater transparency and control over their personal information.

Global GDPR Services Market Restraints

High Costs: Implementing GDPR compliance measures can be expensive, particularly for small and medium-sized enterprises. Complexity and Overwhelm: The GDPR is a complex regulation, and organizations may struggle to understand and implement all its requirements. Lack of Internal Expertise: Many organizations may lack the necessary in-house expertise to ensure GDPR compliance.

I can confirm that we do hold information on the names and General Medical Council (GMC) numbers for independent medical assessors. Please note that this response does not relate to a specific claim or claimant. The request is being answered more generally given requests under FOIA are requester-blind, that is to say the identity of the requester is not taken into account when considering a request for information under FOIA. We consider the name and GMC number to be personal data under the Data Protection Act 2018. Disclosure of their names or GMC numbers would result in their identification when entered into the GMC public register. Please be aware that I have decided not to release the names and GMC numbers of the independent medical assessors as this information falls under the exemption in section 40 subsections 2 and 3(A)(a) of the FOIA. As the requested information would allow an independent medical assessor to be identified, I consider this information is exempt. This is because it would breach the first data protection principle as: A. it is not fair to disclose their personal details to the world and is likely to cause damage or distress. B. these details are not of sufficient interest to the public to warrant an intrusion into their privacy. The requested information is exempt if disclosure would contravene any of the data protection principles. For disclosure to comply with the lawfulness, fairness, and transparency principle, we either need the consent of the data subject(s) or there must be a legitimate interest in disclosure. In addition, the disclosure must be necessary to meet the legitimate interest and finally, the disclosure must not cause unwarranted harm. This means that the NHSBSA is therefore required to conduct a balancing exercise between the legitimate interest of the applicant in disclosure against the rights and freedoms of the independent medical assessor. While I acknowledge that you have a legitimate interest in disclosure of the information, the disclosure of the requested information would cause unwarranted harm. Disclosure under FOIA is to the world and therefore the NHSBSA has to consider the overall impact of the disclosure and its duty of care. The expectation of the independent medical assessors is that they will remain anonymous and will therefore not be subject to contact or pressure from claimants or campaigning groups. Given the certainty that the name and/or GMC number will identify them, there is a reasonable expectation that this information will not be disclosed under the FOIA. Disclosing this information would be unfair and as such this would breach the UK General Data Protection Regulation first data protection principle. Please see the following link to view the section 40 exemption in full: https://www.legislation.gov.uk/ukpga/2000/36/section/40 Qualifications and experience The NHSBSA does not hold information on the independent medical assessors' qualifications. This is because their medical qualifications and experience are the responsibility of the third-party medical assessment supplier. I hope, however, that the following information provides reassurance on this point: All claims are assessed by the independent medical assessment company with a consistent approach. Each case is considered on its own merits, by an experienced independent medical assessor. The contract with our supplier does not require them to tell us details of their qualifications or their experience.

Key Features:

Extensive Global Coverage: Our database spans across multiple countries and industries, offering a diverse and extensive collection of decision makers. Reach out to key professionals worldwide and expand your business horizons.

Comprehensive Contact Details: Gain access to essential contact information, including names, job titles, email addresses, phone numbers, and company affiliations. Connect with the right individuals and nurture valuable business relationships.

GDPR Compliance: We prioritize data privacy and strictly adhere to the General Data Protection Regulation (GDPR) guidelines. Rest assured that our B2B Contact Database is GDPR compliant, ensuring the protection of personal and sensitive information.

Data De-identification and Pseudonymity Software Market Outlook

The global data de-identification and pseudonymity software market is projected to grow significantly, reaching approximately USD 4.2 billion by 2032, driven primarily by increasing data privacy concerns and stringent regulatory requirements worldwide.

The primary growth factor in the data de-identification and pseudonymity software market is the surge in data breaches and cyber-attacks. With the exponential increase in data generation, organizations are more vulnerable to data breaches and unauthorized access. These security concerns have prompted businesses and governments to invest heavily in robust data protection solutions. Data de-identification and pseudonymity software provide a secure way to anonymize sensitive information, making it less susceptible to malicious activities. As data protection laws become more rigorous, the demand for such technologies will continue to rise, further propelling market growth.

Another significant factor contributing to market growth is the growing awareness and emphasis on data privacy among consumers. In recent years, consumers have become increasingly aware of how their data is being used and the potential risks associated with data misuse. This heightened awareness has put pressure on organizations to adopt comprehensive data protection measures. Data de-identification and pseudonymity software offer a means to protect personal information while still allowing organizations to utilize data for analytics and decision-making. This dual benefit is a key driver for the adoption of these technologies across various sectors.

Moreover, regulatory compliance is a crucial driver for the market. Regulations such as the General Data Protection Regulation (GDPR) in Europe, the Health Insurance Portability and Accountability Act (HIPAA) in the United States, and various other data protection laws worldwide mandate stringent measures for data protection. Non-compliance can result in hefty fines and legal repercussions. Therefore, organizations are increasingly adopting data de-identification and pseudonymity software to ensure compliance with these regulations. The need for regulatory compliance is expected to sustain market growth in the foreseeable future.

Regionally, North America currently dominates the global data de-identification and pseudonymity software market, accounting for the largest market share. This is attributed to the presence of major technology players, stringent data protection regulations, and high adoption rates of advanced technologies in the region. Europe follows closely, with significant market contributions from countries such as Germany, France, and the UK, driven by robust regulatory frameworks like GDPR. The Asia Pacific region is also expected to witness substantial growth, fueled by rapid digitalization, increasing cybersecurity threats, and growing awareness about data privacy in countries like China, India, and Japan.

Data Masking Tools play a pivotal role in enhancing the security framework of organizations by providing an additional layer of protection for sensitive information. These tools are designed to obscure specific data within a dataset, ensuring that unauthorized users cannot access or decipher the original information. As businesses increasingly rely on data-driven insights, the need for robust data masking solutions becomes more critical. By employing data masking tools, organizations can safely share data across departments or with third-party vendors without compromising privacy. This capability is especially beneficial in industries such as healthcare and finance, where data privacy is paramount. The integration of data masking tools with existing data protection strategies can significantly reduce the risk of data breaches and ensure compliance with regulatory standards.

Component Analysis

The data de-identification and pseudonymity software market can be segmented by component into software and services. The software segment is anticipated to hold the lion's share due to the increasing adoption of data protection solutions across various industries. Software solutions provide automated tools for anonymizing and pseudonymizing data, ensuring compliance with regulatory standards. These solutions are essential for organizations aiming to mitigate the risks associated with data breaches and unauthorized access. As cyber threats continue to evolve, the demand for advanced software solutions is exp

I can confirm that we do hold the requested information however, we consider the name and General Medical Council (GMC) number to be personal data under section 3(2) of the Data Protection Act 2018. Disclosure of the medical assessor’s name or GMC number would result in the identification of the medical assessor when entered into the GMC public register. As the requested information would allow a medical assessor to be identified, I consider this information is exempt under section 40(2) and 40(3A)(a) of the FOIA (personal information). This is because it would breach the first data protection principle as: a) it is not fair to disclose medical assessors’ personal details to the world and is likely to cause damage or distress. b) these details are not of sufficient interest to the public to warrant an intrusion into the privacy of the medical assessor. For disclosure to comply with the lawfulness, fairness, and transparency principle, we either need the consent of the medical assessor or there must be a legitimate interest in disclosure. In addition, the disclosure must be necessary to meet that interest and finally, the disclosure must not cause unwarranted harm. In this case we do not have the consent of the medical assessor to disclose their personal information. This means that the NHSBSA is therefore required to conduct a balancing exercise between the legitimate interest in disclosing the information against the rights and freedoms of the medical assessor. Having reviewed the information you have provided I acknowledge that you have a legitimate interest in disclosure of the information. However, I agree with the previous decision that disclosure of the requested information would cause unwarranted harm. Whilst I acknowledge your comments on this, disclosure under FOIA is to the world and therefore the NHSBSA has to consider the overall impact of the disclosure and its duty of care. The expectation of the medical assessors is that they will remain anonymous and will therefore not be subject to contact or pressure from claimants or campaigning groups. Given the certainty that the name and/or GMC number will identify the medical assessor there is a reasonable expectation that this information would not be disclosed under the FOIA. Disclosing this information would be unfair and as such this would breach the UK General Data Protection Regulation first data protection principle. Please see the following link to view the section 40 exemption in full - https://www.legislation.gov.uk/ukpga/2000/36/section/40

GDPR Solutions Market size is growing at a faster pace with substantial growth rates over the last few years and is estimated that the market will grow significantly in the forecasted period i.e. 2021 to 2028.

Global GDPR Solutions Market Drivers

The market drivers for the GDPR Solutions Market can be influenced by various factors. These may include:

Growing Concerns About Data Privacy: In order to ensure compliance with data protection requirements, there is an increased need for GDPR solutions due to growing consumer and company awareness of data privacy. Tight Regulating Guidelines: Organizations are compelled to provide comprehensive solutions in order to avoid significant fines and legal penalties resulting from the global application of GDPR and related data protection legislation. An increase in cybersecurity threats and data breaches: In order to safeguard personal data and uphold customer confidence, businesses must adopt strong GDPR solutions due to the growing frequency and complexity of data breaches. Cloud adoption and digital transformation: The requirement for GDPR solutions to manage and safeguard data across multiple platforms and environments has increased due to the broad adoption of cloud services and digital transformation projects. Demands for Control and Transparency of Data: Organizations are being forced to implement GDPR solutions that offer procedures for data access, correction, and deletion as a result of consumer demands for increased transparency and control over their personal data. Extending the Range of Data Processing and Collection:The deployment of GDPR solutions is required to secure data privacy and compliance due to the exponential development in data collecting and processing activities driven by technologies such as IoT, AI, and big data analytics. Managing Reputational Risk: Businesses are adopting GDPR solutions at a faster rate as they realize how crucial it is to preserve their reputation by proving that they are compliant. The necessity of effective data management techniques: GDPR solutions facilitate the streamlining of an organization's data management procedures while guaranteeing that data is correctly classified, preserved, and safeguarded in compliance with legal requirements. Globalization of Enterprises: Businesses must abide by numerous data protection laws, including GDPR, as they grow internationally. This has increased demand for all-inclusive GDPR solutions that meet different regulatory needs. Technological Progress: Advances in GDPR solutions, such AI-driven analytics, automated compliance tools, and sophisticated encryption technologies, are increasing the efficacy and efficiency of data security initiatives and driving market expansion.