While most UK firms have lived under GDPR for eight years, a new report reveals that the “Implementation Gap” is widening into a canyon. According to the GDPR Benchmark Report 2025 by GRC Solutions, many organisations remain at a “limited” or “developing” level of maturity when it comes to GDPR compliance.
For sales and operations leaders in the Manufacturing and Construction sectors, this is particularly sobering. These industries are currently recording some of the lowest compliance scores in the country, creating a significant “trust deficit” that could derail 2026 growth plans.
Manufacturing: The GDPR Compliance Weak Link?
The report highlights a staggering lack of awareness within the manufacturing sector. With a score of just 3.9 out of 10 for data subject rights, manufacturing is the lowest-performing industry in the UK for this category.
Many firms in this sector demonstrate weak governance and a failure to implement Personal Information Management Systems (PIMS). Consequently, they are operating with a major blind spot. In an era where the Manufacturing Pipeline is increasingly tied to digital integration and smart factories, this lack of data maturity represents a critical reputational risk.
Construction: The ‘Ad-Hoc’ Trap
Construction firms perform well in basic risk management. Yet they fail almost entirely when it comes to Privacy by Design. The report suggests that many companies still rely on informal, ad-hoc processes.
Why does this matter? Because construction projects are becoming more data-heavy. Therefore, they involve distributed workforces and complex supply chains. So, the “informal” approach no longer cuts it. Without formal responsibility and accountability, these firms are one data breach away from a catastrophic liability.
The Third-Party Assurance Crisis
A recurring theme across all sectors is the failure of due diligence on partners. Louise Brooks, Head of Privacy Consultancy at GRC Solutions, warns that many organisations have “limited assurance” that the data accessed by their partners is handled securely.
“Due diligence on third parties is often lacking. Getting this right reduces the likelihood of incidents and protects organisations from liability.”
Louise Brooks, Head of Privacy Consultancy at GRC Solutions
For any business service provider, being able to prove your GDPR maturity isn’t just a legal requirement; it is a competitive advantage. As we noted in our Data Governance feature, prospects in 2026 are actively choosing vendors who can prove their data is safe.
Three Pillars to Fix the Gap
The report identifies three recurring weaknesses that sales and operations leaders must address immediately:
- Formalise Accountability: Stop treating GDPR as a “side task” for overstretched teams. Assign clear, formal responsibility.
- Invest in Training: Awareness is currently at a low ebb. A disciplined team (see our Self-Discipline for Sales piece) is a team that understands the risks of data handling.
- Implement a PIMS: Don’t wait for a breach to build a system. A risk-based approach to data protection is a non-negotiable scaling engine.
When budgets are tight, compliance is often the first thing to be cut. However, as GRC Solutions points out, this is short-sighted. In a digital economy, Data Protection is Business Protection.
Those who treat GDPR as a “tick-box” exercise in 2026 are leaving the door open for their competitors, and the regulators.
