Never one to miss a bandwagon, the European Commission has published three documents to mark the first year of GDPR:

  • a Eurobarometer survey on data protection (Eurobarometer Survey);
  • a multi-stakeholder expert group (MEG Report); and
  • guidance on the free flow of non-personal data within the EU (reported on here).

We set out some of the key findings below.

The Eurobarometer Survey

Following the lead of the ICO, which recently published the results of its own survey into online harms, the Eurobarometer Survey looks at data protection issues in EU member states.

The Eurobarometer Survey was compiled from data gathered from over 27,000 surveys. Around two-thirds of respondents had heard of the GDPR. However, only one-third had both heard of the GDPR and, crucially, knew what it actually was. Respondents in Sweden (63 per cent), the Netherlands (60 per cent), Poland (56 per cent), Denmark (51 per cent), Ireland and the Czech Republic (both 50 per cent) were the most likely to have heard of GDPR and know what it is.

Around three in five respondents knew about their local data protection authority. Respondents in the Netherlands (82 per cent), Latvia (76 per cent), Finland and Sweden (both 74 per cent) were most aware of their local data protection authorities.

Surprisingly, only around three-quarters of respondents use the internet daily. Those that do use the internet are recurrent users of social media and online shopping sites, with around four in five using the internet for those purposes. Just over half of internet users use a social network every day.

Another surprising finding is that around three in five respondents say they read privacy notices. Just under half of internet users claim they read privacy notices in full, while just over one in ten internet users admit to reading privacy notices only in part. The most common reason given for not reading privacy notices in full was their length.

The MEG Report

In contrast to the Eurobarometer Survey, the MEG Report draws on the discussions of interested organisations, experts and other stakeholders. Its findings drill down further into some of the issues around user sentiment raised in the Eurobarometer Survey.

The MEG Report focuses more on the experience of SMEs and the implementation of GDPR. In particular, SMEs have raised concerns about the lack of exceptions available to them under GDPR. SMEs report that legacy information technology systems have made their GDPR compliance difficult and costly to achieve. Similarly, certification mechanisms are not financially attractive to SMEs due to their high cost.

Respondents were also concerned about additional compliance requirements envisaged under the ePrivacy Regulation. Respondents in the telecoms and online services sectors raised the issue of having to repeat compliance steps already taken for GDPR. However, respondents saw the ePrivacy Regulation, together with GDPR, as “important building blocks for restoring confidence of consumers in the digital economy”.

Respondents were generally satisfied with their local data protection authorities, with many highlighting guidance provided as being a great help during the GDPR implementation period. However, companies carrying out business in more than country cited the lack of consistent GDPR application across EU member states as a problem. Respondents stressed the importance of avoiding a fragmented approach to GDPR through local laws.


GDPR’s first birthday anniversary has been a popular time for aggregated analysis across a range of areas including enforcement trends, AI, and user experience online. The Eurobarometer Survey and MEG Report illustrate that GDPR has bedded down relatively well and established itself as a law that most Europeans are aware of. Whether this awareness can be sustained over the next year is worth tracking. Many companies are struggling from privacy fatigue from staff, users, and customers.

For more GDPR anniversary reading (we are not averse to bandwagon-jumping either!), please have a look at our series of thought-pieces. These include what to consider for your GDPR year two to-do list and how some specific industries and sectors have been affected by GDPR’s first year.