The General Data Protection Regulation (GDPR) came into effect in May 2018 and is designed to safeguard European Union (EU) citizens' data privacy. The benefits of the regulation to consumers' rights and to regulators' powers are well known. The benefits to regulated businesses are less obvious and under-researched. We conduct exploratory research into understanding the socio-technical impacts and resilience of business in the face of a major new disruptive regulation. In particular, we investigate if GDPR is all pain and no gain. Using semi-structured interviews, we survey 14 senior-level executives responsible for business, finance, marketing, compliance and technology drawn from six companies in the UK and Ireland. We find the threat of fines has focused the corporate mind and made business more privacy aware. Organisationally, it has created new power bases within companies to advocate GDPR. It has forced companies to modernise their platforms and indirectly benefited them with better risk management processes, information security infrastructure and up to date customer databases. Compliance, for some, is used as a reputational signal of trustworthiness. Many implementation challenges remain. New business development and intra-company communication is more constrained. Regulation has increased costs and internal bureaucracy. Grey areas remain due to a lack of case law. Disgruntled customers and ex-employees weaponise Subject Access Requests (SAR) as a tool of retaliation. All small and medium-sized businesses in our sample see GDPR as overkill and overwhelming. We conclude GDPR may be regarded as a pain by business but it has made it more careful with data. It created a short-term disruption that monopolised IT budgets in the run-up to GDPR and created a long-term disruption to company politics as Compliance and Information Security leverage the regulation for budget and control. The rising trend in the number of fines issued by national data protection regulators and the establishment of new case law will continue to reshape organisations.
CITATION STYLE
Buckley, G., Caulfield, T., & Becker, I. (2022). “It may be a pain in the backside but...” Insights into the resilience of business after GDPR. In ACM International Conference Proceeding Series (pp. 21–34). Association for Computing Machinery. https://doi.org/10.1145/3584318.3584320
Mendeley helps you to discover research relevant for your work.