The General Data Protection Regulation (GDPR) came into effect
in May 2018 and is designed to safeguard European Union (EU)
citizens’ data privacy. The benefits of the regulation to consumers’
rights and to regulators’ powers are well known. The benefits to
regulated businesses are less obvious and under-researched.
We conduct exploratory research into understanding the sociotechnical impacts and resilience of business in the face of a
major new disruptive regulation. In particular, we investigate if
GDPR is all pain and no gain. Using semi-structured interviews, we
survey 14 senior-level executives responsible for business, finance,
marketing, compliance and technology drawn from six companies
in the UK and Ireland.
We find the threat of fines has focused the corporate mind and
made business more privacy aware. Organisationally, it has created
new power bases within companies to advocate GDPR. It has forced
companies to modernise their platforms and indirectly benefited
them with better risk management processes, information security
infrastructure and up to date customer databases. Compliance, for
some, is used as a reputational signal of trustworthiness.
Many implementation challenges remain. New business development and intra-company communication is more constrained.
Regulation has increased costs and internal bureaucracy. Grey areas remain due to a lack of case law. Disgruntled customers and
ex-employees weaponise Subject Access Requests (SAR) as a tool
of retaliation. All small and medium-sized businesses in our sample
see GDPR as overkill and overwhelming.
We conclude GDPR may be regarded as a pain by business but
it has made it more careful with data. It created a short-term disruption that monopolised IT budgets in the run-up to GDPR and
created a long-term disruption to company politics as Compliance
and Information Security leverage the regulation for budget and
control. The rising trend in the number of fines issued by national
data protection regulators and the establishment of new case law
will continue to reshape organisations
