Buckley, Gerard;
Caulfield, Tristan;
Becker, Ingolf;
(2023)
“It May Be a Pain in the Backside but...” Insights into the Resilience of Business after GDPR.
In:
New Security Paradigms Workshop (NSPW ’22).
ACM: North Conway, NH, USA.
(In press).
Preview |
Text
buckley_it_2022.pdf - Accepted Version Download (560kB) | Preview |
Abstract
The General Data Protection Regulation (GDPR) came into effect in May 2018 and is designed to safeguard European Union (EU) citizens’ data privacy. The benefits of the regulation to consumers’ rights and to regulators’ powers are well known. The benefits to regulated businesses are less obvious and under-researched. We conduct exploratory research into understanding the sociotechnical impacts and resilience of business in the face of a major new disruptive regulation. In particular, we investigate if GDPR is all pain and no gain. Using semi-structured interviews, we survey 14 senior-level executives responsible for business, finance, marketing, compliance and technology drawn from six companies in the UK and Ireland. We find the threat of fines has focused the corporate mind and made business more privacy aware. Organisationally, it has created new power bases within companies to advocate GDPR. It has forced companies to modernise their platforms and indirectly benefited them with better risk management processes, information security infrastructure and up to date customer databases. Compliance, for some, is used as a reputational signal of trustworthiness. Many implementation challenges remain. New business development and intra-company communication is more constrained. Regulation has increased costs and internal bureaucracy. Grey areas remain due to a lack of case law. Disgruntled customers and ex-employees weaponise Subject Access Requests (SAR) as a tool of retaliation. All small and medium-sized businesses in our sample see GDPR as overkill and overwhelming. We conclude GDPR may be regarded as a pain by business but it has made it more careful with data. It created a short-term disruption that monopolised IT budgets in the run-up to GDPR and created a long-term disruption to company politics as Compliance and Information Security leverage the regulation for budget and control. The rising trend in the number of fines issued by national data protection regulators and the establishment of new case law will continue to reshape organisations.
Type: | Proceedings paper |
---|---|
Title: | “It May Be a Pain in the Backside but...” Insights into the Resilience of Business after GDPR |
Event: | New Security Paradigms Workshop (NSPW ’22) |
Location: | North Conway, NH, USA |
Open access status: | An open access version is available from UCL Discovery |
DOI: | 10.1145/3584318.3584320 |
Publisher version: | https://doi.org/10.1145/3584318.3584320 |
Language: | English |
Additional information: | © The authors 2022 For the purpose of open access, the authors have applied a Creative Commons Attribution (CC BY) licence to this author’s accepted manuscript. The definitive version was published in: ACM ISBN 978-1-4503-9866-4/22/10 DOI: 10.1145/3584318.3584320 |
Keywords: | GDPR, General Data Protection Regulation, GDPR Busi |
UCL classification: | UCL UCL > Provost and Vice Provost Offices > UCL BEAMS UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science > Dept of Security and Crime Science |
URI: | https://discovery.ucl.ac.uk/id/eprint/10171462 |
Archive Staff Only
View Item |