“It may be a pain in the backside but...” Insights into the resilience of business after GDPR

Proceedings of the 2022 New Security Paradigms Workshop Pub Date : 2022-10-24 DOI:10.1145/3584318.3584320

G. Buckley, T. Caulfield, Ingolf Becker

{"title":"“It may be a pain in the backside but...” Insights into the resilience of business after GDPR","authors":"G. Buckley, T. Caulfield, Ingolf Becker","doi":"10.1145/3584318.3584320","DOIUrl":null,"url":null,"abstract":"The General Data Protection Regulation (GDPR) came into effect in May 2018 and is designed to safeguard European Union (EU) citizens’ data privacy. The benefits of the regulation to consumers’ rights and to regulators’ powers are well known. The benefits to regulated businesses are less obvious and under-researched. We conduct exploratory research into understanding the socio-technical impacts and resilience of business in the face of a major new disruptive regulation. In particular, we investigate if GDPR is all pain and no gain. Using semi-structured interviews, we survey 14 senior-level executives responsible for business, finance, marketing, compliance and technology drawn from six companies in the UK and Ireland. We find the threat of fines has focused the corporate mind and made business more privacy aware. Organisationally, it has created new power bases within companies to advocate GDPR. It has forced companies to modernise their platforms and indirectly benefited them with better risk management processes, information security infrastructure and up to date customer databases. Compliance, for some, is used as a reputational signal of trustworthiness. Many implementation challenges remain. New business development and intra-company communication is more constrained. Regulation has increased costs and internal bureaucracy. Grey areas remain due to a lack of case law. Disgruntled customers and ex-employees weaponise Subject Access Requests (SAR) as a tool of retaliation. All small and medium-sized businesses in our sample see GDPR as overkill and overwhelming. We conclude GDPR may be regarded as a pain by business but it has made it more careful with data. It created a short-term disruption that monopolised IT budgets in the run-up to GDPR and created a long-term disruption to company politics as Compliance and Information Security leverage the regulation for budget and control. The rising trend in the number of fines issued by national data protection regulators and the establishment of new case law will continue to reshape organisations.","PeriodicalId":383761,"journal":{"name":"Proceedings of the 2022 New Security Paradigms Workshop","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-10-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 2022 New Security Paradigms Workshop","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3584318.3584320","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

The General Data Protection Regulation (GDPR) came into effect in May 2018 and is designed to safeguard European Union (EU) citizens’ data privacy. The benefits of the regulation to consumers’ rights and to regulators’ powers are well known. The benefits to regulated businesses are less obvious and under-researched. We conduct exploratory research into understanding the socio-technical impacts and resilience of business in the face of a major new disruptive regulation. In particular, we investigate if GDPR is all pain and no gain. Using semi-structured interviews, we survey 14 senior-level executives responsible for business, finance, marketing, compliance and technology drawn from six companies in the UK and Ireland. We find the threat of fines has focused the corporate mind and made business more privacy aware. Organisationally, it has created new power bases within companies to advocate GDPR. It has forced companies to modernise their platforms and indirectly benefited them with better risk management processes, information security infrastructure and up to date customer databases. Compliance, for some, is used as a reputational signal of trustworthiness. Many implementation challenges remain. New business development and intra-company communication is more constrained. Regulation has increased costs and internal bureaucracy. Grey areas remain due to a lack of case law. Disgruntled customers and ex-employees weaponise Subject Access Requests (SAR) as a tool of retaliation. All small and medium-sized businesses in our sample see GDPR as overkill and overwhelming. We conclude GDPR may be regarded as a pain by business but it has made it more careful with data. It created a short-term disruption that monopolised IT budgets in the run-up to GDPR and created a long-term disruption to company politics as Compliance and Information Security leverage the regulation for budget and control. The rising trend in the number of fines issued by national data protection regulators and the establishment of new case law will continue to reshape organisations.

查看原文本刊更多论文

“这可能会让你很痛苦，但是……”洞察GDPR后的商业弹性

《通用数据保护条例》(GDPR)于2018年5月生效，旨在保护欧盟(EU)公民的数据隐私。监管对消费者权利和监管机构权力的好处是众所周知的。对受监管企业的好处不那么明显，研究也不够充分。我们进行探索性研究，以了解企业在面对重大的新颠覆性监管时的社会技术影响和弹性。特别是，我们调查GDPR是否只会带来痛苦而没有收获。通过半结构化访谈，我们调查了来自英国和爱尔兰6家公司的14位负责商业、财务、营销、合规和技术的高管。我们发现，罚款的威胁让企业集中了注意力，让企业更加注重隐私。在组织上，它在公司内部创造了新的权力基础来倡导GDPR。它迫使企业对其平台进行现代化改造，并间接受益于更好的风险管理流程、信息安全基础设施和最新的客户数据库。对一些人来说，合规被用作可信赖的声誉信号。许多实施方面的挑战依然存在。新业务开发和公司内部沟通受到更多限制。监管增加了成本和内部官僚主义。由于缺乏判例法，灰色地带仍然存在。心怀不满的客户和前雇员将主题访问请求(SAR)作为报复的武器。在我们的样本中，所有中小型企业都认为GDPR是过度杀伤和压倒性的。我们的结论是，GDPR可能被企业视为一种痛苦，但它使企业对数据更加谨慎。它造成了短期的破坏，在GDPR出台之前垄断了It预算，并对公司政治造成了长期的破坏，因为合规和信息安全部门利用该法规进行预算和控制。各国数据保护监管机构开出的罚单数量不断上升的趋势，以及新判例法的建立，将继续重塑企业组织。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 2022 New Security Paradigms Workshop

自引率

0.00%

发文量