GRC Solutions has published its GDPR Benchmark Report 2025, analysing GDPR gap-assessment data from more than 60 organisations across eight sectors. The findings reveal significant and persistent weaknesses in UK GDPR compliance, particularly in privacy by design and core data handling controls, despite the Regulation entering its eighth year of enforcement.
The report evaluates performance across nine GDPR control areas. These include governance, risk management, information management system (ISMS) maturity, privacy by design, defined roles and responsibilities, personal information management system (PIMS) implementation and data subject rights. Scores show that many organisations remain at a “limited” or “developing” level of assurance, with sector-specific challenges driving uneven levels of maturity.
“Due diligence on third parties is often lacking which means organisations have limited assurance that any personal data accessed by those partners will be handled securely. Getting this right clarifies roles and responsibilities, reduces the likelihood of incidents and personal data breaches and protects organisations from liability.” – Louise Brooks, Head of Privacy Consultancy at GRC Solutions
Technology leads; most other sectors lag behind
Technology companies outperform all other sectors, with comparatively stronger governance, information security controls and more established privacy and compliance functions. Widespread adoption of ISO 27001 and ISO 27701, combined with dedicated in-house expertise and a culture of continual improvement, supports their higher level of compliance maturity.
However, even in this sector, privacy by design falls into the “developing” range, highlighting a UK-wide struggle to integrate data protection into product and system design from the outset.
Construction and manufacturing show limited GDPR maturity
Construction companies perform well in governance, risk management and ISMS maturity but score among the lowest in privacy by design, PIMS and data subject rights. Many organisations continue to rely on informal, ad hoc processes often justified by distributed workforces and low volumes of consumer data.
Manufacturing organisations demonstrate low awareness of GDPR obligations, with weak scores for governance, scope of compliance, PIMS and privacy by design. The sector records the lowest score of all industries – 3.9 out of 10 – for data subject rights, representing a major regulatory and reputational risk.
Finance and health: regulated industries with surprising gaps
Although finance and health are heavily regulated sectors, both exhibit “limited” or “developing” scores across several core GDPR control areas.
In finance, GDPR responsibilities are often absorbed into overstretched compliance teams, resulting in low scores for privacy by design, PIMS and training. While risk management and data subject rights are comparatively strong, many organisations continue to deprioritise GDPR relative to FCA-regulated obligations.
Health sector organisations show particularly low scores for scope of compliance despite extensive handling of sensitive health data. This is often driven by weak contract management, unclear controller/processor roles and inadequate due diligence on third parties.
Hospitality, retail and the public/non-profit sector continue to struggle
The hospitality and retail sector shows highly variable performance, with a handful of strong performers masking generally low scores across governance, risk management and privacy by design. Many organisations still perceive the GDPR as something that applies only to large enterprises, despite processing high volumes of consumer data.
Commenting on the results, Louise Brooks added:
“This sector often performs well in respect of data subject rights because it is viewed as a strategic risk-mitigation measure. When interactions with individuals are well-managed, they are less likely to escalate issues to supervisory authorities, reducing regulatory risk.”
The public and non-profit sector records some of the lowest scores in the report, particularly for ISMS maturity. With 30% of UK charities experiencing a cyber attack in the past year,* the sector’s continued underinvestment in information security poses a critical risk.
A call for structured, risk-based compliance
Across all sectors, the report identifies three recurring weaknesses:
Lack of formal responsibility and accountability for GDPR activities
Insufficient training and awareness
Poorly implemented or non-existent PIMS programmes
GRC Solutions recommends that organisations adopt a risk-based approach to data protection compliance, ensuring that adequate funding is maintained even during periods of financial pressure.
Brooks added:
“When resources are limited, we often see organisations cut compliance budgets first but this is short-sighted. Data protection and information security compliance have never been more important.”
The full GDPR Benchmark Report 2025 is available now at grcsolutions.io.
ENDS
*Source: UK Government Cyber Security Breaches Survey 2025]