Need a perfect paper? Place your first order and save 5% with this code:   SAVE5NOW
HomeSocial Sciences › General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)

Introduction

Information and communication technologies (ICTs) have made data integral to individuals’ and organizations’ optimal functioning in today’s society. This scenario has created concerns about data privacy, especially following increased data breaches reported by individuals and organizations. Since it is impossible to restrict the usage of ICTs, governments have responded by enacting regulations to manage these technologies and minimize any adverse impacts. The European Union (EU) enacted General Data Protection Regulation (GDPR) to address privacy concerns by establishing a legal framework that governs data usage across the union.

The Problem of GDPR

Generally, any policy that addresses a problem tends to create problems upon implementation. The EU adopted GDPR in 2016 but officially launched in 2018 to govern the use of personal data by companies that collect, process, and store data of EU citizens. As such, the policy affects EU and non-EU companies that interact with EU citizens in some form of service delivery. Many people celebrated the adoption of GDPR, with the Vice President (VP) of the European Commission (EC), Viviane Reding, stating that the policy was going to restore trust in digital services (Gibbs, 2016, para. 3). Indeed, data breaches have dented people’s trust in digital services that often collect, process, and store personal data. Since coming into effect, GDPR has impacted public and private sectors, including finance, healthcare, hospitality, and transport.

However, there are growing concerns that GDPR has created challenges, confusion, and uncertainties for countries and organizations in the governance and protection of private data. Layton (2019) highlights ten major problems of GDPR, three of which are related to costs and risks of compliance, increased cybersecurity risks, and threats to innovation and research (p. 2). These problems suggest the EU’s comprehensive overhaul of private data governance has proven costly for organizations. Worse, they have made private data more vulnerable to breaches. In this respect, it is reasonable to conclude that GDPR has been counterproductive as a legal framework governing private data.

Data Analysis

To understand the implications of GDPR on people, businesses, and countries, it is important to analyze information relating to the three main problems identified above. This analysis requires searching for information addressing the cost implications of complying with GDPR and information confirming that the reform has increased risks for data breaches.

GDPR Increases Compliance Cost and Risks

It is common knowledge that complying with a regulation often has financial implications for businesses. However, there are growing concerns that the cost implication of GDPR is punitive and prohibitive for most businesses in the EU. The IAPP (International Association of Privacy Professionals) (2018) notes that an average EU company must spend approximately three million United States (U.S.) dollars to comply with GDPR (p. 78). This cost implication is why firms outside the EU have been reluctant to adopt this policy as a private data governance framework. Even in the EU, only 44 percent of businesses eligible for GDPR have fully complied with the regulation, with 19 percent saying full compliance is impossible (IAPP, 2018, pp. 65-66). This cost implication has a direct impact on average citizens. According to Lee-Makiyama (2014), compliance with GDPR in the EU costs roughly €260 in welfare loss per citizen (p. 88). Therefore, while the policy aims to protect citizens’ private data, it hurts social welfare. This aspect calls into question its long-term viability. According to Davies (2018), independent advertising exchanges have seen their ad demand volumes fall by 20 to 40 percent (para. 3). Arguably, these implications are why only less than 50 percent of EU businesses have fully complied with GDPR and why under 20 percent do not see any prospect of ever complying. In this light, GDPR is a reform initiative that has proven counterproductive as a legal framework for private data governance.

Evidence also shows that complying with GDPR exposes organizations to substantial risks because of ambiguous provisions in the law and uncertainty about how data protection authorities may interpret them. According to a report produced on behalf of the EC, EU companies find it challenging to comply with various legal rules that govern data collection (Arnaut et al., 2018, p. 4). As such, GDPR complicates this challenge with its provisions and requirements. The challenge for EU and non-EU firms is the risk of noncompliance, meaning businesses are likely to be cautious and limit their use of data.

Enhanced Cybersecurity Risks

Cybersecurity is a real and constant threat in today’s interconnected world. Despite GDPR aiming to strengthen the governance of private data, there are concerns that it undermines the Internet’s architecture. The Internet Corporation for Assigned Names and Numbers (ICANN) (2018) has issued a statement announcing a Temporary Specification that allows registries and registrars to obscure WHOIS information to comply with the GDPR (p. 11). The previous regulatory framework required them to make this information public. Since law enforcement authorities use WHOIS information to combat illegal online activities, GDPR undermines this war. As a result, there are likely to be increased incidents of cyberattacks, identity theft, online espionage, theft of intellectual property, and other illegal activities perpetrated via the Internet.

In essence, GDPR has created a conflict between people’s right to privacy and their right to access information. Hurwitz and Jaffer (2018) suggest that the reform has created the problem of ‘privacy overreach,’ where defending privacy values results in incoherency that undermines the privacy rights that need defending (p. 2). It has become common knowledge that sometimes governments violate individual rights to meet public safety needs. This reality is informed by the increase in violent crimes, including terrorism. Therefore, GDPR not only undermines the ability of law enforcement to use private data to combat crime but also expands opportunities for cybercriminals to access private data. According to Layton (2019), European policymakers’ rush to demonstrate moral superiority over the U.S. made them disregard Chinese network hardware manufacturers’ existential threats to privacy (para. 4). Indeed, Huawei, ZTE, and Lenovo have a prominent presence in Europe than in the U.S. Therefore, GDPR’s demand that organizations obscure WHOIS information is a risk to data privacy. The fear in the U.S. is that hackers working independently or for foreign powers can exploit the change in the Internet infrastructure to compromise private data security. As such, government policymakers recognized the problem created by GDPR and limited the exposure of the country’s information system to Chinese firms.

Threats to Innovation and Research

Despite strengthening private data security, there are concerns that GDPR undermines innovation and research. GDPR’s Article 5 requires organizations to collect data for specified, legitimate purposes and limit its usage to what is necessary (Chivot & Castro, 2019, para. 33). Technically, purpose specification and data minimization are two requirements that significantly restrict using data to innovate or advance knowledge through research. According to Zarsky (2016), most GDPR requirements are fundamentally incompatible with emerging technologies, such as big data, which require data processors to disclose the purpose of data processing (p. 1008). As such, this reform initiative creates uncertainties for software engineers, developers, and entrepreneurs because its tenets conflict with the operation of most emerging technologies. Generally, scientific advancements result from processing diverse information sets in inventive ways. For example, in investigating whether mobile phones caused brain cancer, the Danish Cancer Society analyzed thousands of mobile subscribers by processing mobile phone numbers and the National Cancer Registry (Frei et al., 2011, p. 2). Being the most comprehensive investigation of its kind ever conducted, the study confirmed that using mobile phones does not cause brain cancer. However, the researchers did not collect participants’ private data to examine any correlation between mobile phone usage and brain cancer. Therefore, if GDPR was in effect then, its purpose-specification requirement would have made it impossible to conduct the study. In short, GDPR makes it difficult for organizations to use EU citizens’ private data to innovate or conduct valuable research.

Summary of the Findings

An analysis of sentiments about GDPR reveals a sense of disappointment among scholars, policymakers, and ICT specialists because of its shortcomings. Although Layton (2019) lists ten problems of this reform initiative, this paper has analyzed three: cost prohibitive for organizations, enhanced cybersecurity risks, and threats to innovation and research (p. 2). These problems can be summarized into one statement: GDPR has created tension between data protection legislation and business models that use personal data as a resource. The first area of tension is cost. As the above analysis has shown, EU companies must spend roughly three million US dollars to comply with GDPR. This cost implication has led to less than half of EU businesses to comply, with about 20 percent having no plans to comply. The second area of tension is increased cybersecurity threats. By altering the Internet’s architecture by obscuring WHOIS information, GDPR exposes service companies that process and store private data to cybersecurity risks. In short, EU businesses and citizens are likely to see increased incidents of cyberattacks, identity theft, online espionage, theft of intellectual property, and other illegal online activities. The third area of tension is restricted innovation and research. The many GDPR requirements are a burden to organizations that are constantly seeking ways to innovate. With evidence showing that most of these requirements are incompatible with emerging technologies, it is reasonable to conclude that GDPR undermines innovation.

In sum, the above areas of tension created by GDPR are a source of uncertainty for EU and non-EU businesses because of a lack of clarity. Businesses have to contend with the vagueness of this reform initiative and the difficulty of interpreting its provisions and requirements. They also must deal with EU member states reluctance to harmonize their data privacy laws. Lastly, they must navigate an international business environment without guidance on international data flow. These realities complicate EU and non-EU firms because they lack clarity about what is applicable and how they should act. While GDPR offers a broad scope of regulating private data, it contradicts other regulations, thus creating tension.

Recommendations

A few after the launch of GDPR, the EU is at a critical moment where it must rethink the entire private data regulatory framework. The issues that Layton (2019) highlights, three of which have been analyzed above, confirm the need to reform GDPR and for EU businesses to respond proactively to the new regulatory regime. To address the problem of compliance costs and risks, EU firms should enhance efficiencies in complying with regulations, including GDPR. They should do this by standardizing and automating certain processes by taking advantage of new digital technologies. For example, they should use artificial intelligence (AI) to perform repetitive tasks, including responding to data subject requests (DSRs), data mapping, and privacy impact assessments. Through automation, EU firms can make compliance with GDPR and other laws less cumbersome, thus eliminating or reducing compliance costs and risks.

To address increased cybersecurity risks, EU businesses should restore public trust by adopting a ‘privacy first’ business model. As data breach threats become real every passing day, consumers demand to know that their private data is secure from unauthorized access and use and that they can only grant authority to access it. To satisfy this demand, EU firms should emphasize data privacy in their public relations communications. Most importantly, they should demonstrate to the public their commitment to data privacy by strengthening privacy operations. Rather than continue relying on outmoded third-party cookies, businesses should develop new customer data strategies that collect more and better data at a lower cost. More importantly, these strategies should assure consumers that their personal data is secure and that they only control who and how it is used.

To address the problem of threats to innovation and research, policymakers should amend GDPR to allow organizations to repurpose data that poses minimal risk. Doing so will enable organizations to experiment and innovate with lawfully collected data. The amendment will allow organizations to repurpose data they have already collected if doing so poses no or minimal risk of harm to individuals.

Counterarguments, Caveats, Possible Impediments

Implementing the above recommendations is most likely to attract opposition, demands, and other obstacles. The strongest proponents of GDPR are likely to offer counterarguments that may prove an obstacle to the smooth implementation of the recommendations. For example, some have argued that GDPR provisions, including the Temporary Specification that allows registries and registrars to obscure WHOIS information, are justified (Jelinek, 2018, p. 1). These proponents of GDPR are likely to give reasons why the policy should not be amended to allow organizations to repurpose data they have already collected. Nonetheless, even when prevailed upon to allow the amendment, they are most likely to demand caveats to ensure organizations do not abuse the new privilege. For example, proponents of GDPR are likely to demand a caveat emphasizing that organizations can never transfer data they have collected from one controller to another.

Possible impediments to implementing the recommendations include a lack of infrastructure to adopt AI and other emerging technologies. Despite the opportunities that emerging technologies like AI, big data, and machine learning present, organizations can only benefit by establishing an IT infrastructure that supports them. Therefore, while AI can help automate GDPR compliance and eliminate or reduce compliance costs and risks, EU firms may not benefit if they do not align their IT infrastructure.

Conclusion

With data becoming integral to people’s and organizations’ optimal daily functioning, governments are legally and morally obligated to establish a regulatory framework that protects personal information. Increased incidents of data breaches are why the EU adopted GDPR and why many countries worldwide have data protection regimes. Despite this noble idea, evidence shows that GDPR has shortcomings that burden organizations and create uncertainties in business and the public. The first problem of this policy is compliance costs and risks that businesses must contend with. These realities have seen less than half of businesses in the EU fully comply, and about 20 percent see no prospects of ever complying. The second problem of increased cybersecurity risks creates concerns that regulatory frameworks can undermine the integrity of the Internet and create loopholes for data breaches. By demanding registries and registrars to obscure WHOIS information, GDPR interferes with the Internet’s architecture, which is a big problem for data privacy. The third problem of undermining innovation and research suggests that GDPR impedes progress because it prohibits using private data to advance knowledge and facilitate innovation.

Based on these three shortcomings, it is reasonable to conclude that GDPR has strengthened data privacy. However, it has also proven counterproductive because it has created burdens for EU and non-EU companies and uncertainties for the public, whose data is processed and stored by these companies. The solutions to these problems include EU firms enhancing efficiency in complying with regulations and adopting a ‘privacy first’ business model to cement public trust. Policymakers in the EU and EC should amend GDPR to allow organizations to repurpose data to facilitate innovation and research. While implementing these solutions is likely to attract opposition and encounter impediments, policymakers must be resolute in their mission to preserve the integrity of efforts dedicated to data privacy and protection.

References

Arnaut, C., Pont, M., Scaria, E., Berghmans, A., & Lacoste, S. (2018). Study on data sharing between companies in Europe. European Union.

Chivot, E., & Castro, D. (2019, May 13). The EU needs to reform the GDPR to remain competitive in the algorithmic economy. Center for Data Innovation.https://datainnovation.org/2019/05/the-eu-needs-to-reform-the-gdpr-to-remain-competitive-in-the-algorithmic-economy/

Davies, J. (2018, July 4). The Google Data Protection Regulation’: GDPR is strafing ad sellers. DIGIDAY. https://digiday.com/media/google-data-protection-regulation-gdpr-strafing-ad-sellers/

Frei, P., Poulsen, A. H., Johansen, C., Olsen, J. H., Steding-Jessen, M., & Schüz, J. (2011). Use of mobile phones and risk of brain tumors: Update of Danish cohort study. BMJ343. 1-9. https://www.bmj.com/content/bmj/343/bmj.d6387.full.pdf

Gibbs, S. (2016, April 14).European parliament approves tougher data privacy rules. The Guardian.https://www.theguardian.com/technology/2016/apr/14/european-parliament-approve-tougher-data-privacy-rules

Hurwitz, J., & Jaffer, J. N. (2018, June 12). Modern privacy advocacy: An approach at war with privacy itself? Regulatory Transparency Project. https://rtp.fedsoc.org/wp-content/uploads/RTP-Cyber-Privacy-Working-Group-Paper-Incoherent-Privacy.pdf

Internet Corporation for Assigned Names and Numbers (ICANN). (2018, May 17). Temporary specification for gTLD registration data. ICANN. https://www.icann.org/en/system/files/files/gtld-registration-data-temp-spec-17may18-en.pdf

Jelinek, A. (2018, April 11). Letter from Andrea Jelinek, Chairperson of Article 29 Data Protection Working Party, to Göran Marby, President of ICANN. ICANN.https://www.icann.org/en/system/files/correspondence/jelinek-to-marby-11apr18-en.pdf

Layton, R. (2019, February 20). Trump should ignore Chinese manufacturers’ phony promises. Inkl. https://www.inkl.com/news/trump-should-ignore-chinese-manufacturers-phony-promises

Lee-Makiyama, H. (2014). The political economy of data: EU privacy regulation and the international redistribution of its costs. In L. Floridi (ed.), protection of information and the right to privacy—A new equilibrium? (pp. 85–94). Springer.

International Association of Privacy Professionals (IAPP). (2018). IAPP-EY annual governance report 2018. EY. https://assets.ey.com/content/dam/ey-sites/ey-com/en_gl/topics/financial-services/ey-iapp-ey-annual-privacy-gov-report-2018.pdf

Zarsky, T. Z. (2016). Incompatible: The GDPR in the age of big data. Seton Hall Law Review47, 995-1020. https://scholarship.shu.edu/cgi/viewcontent.cgi?article=1606&context=shlr

 

Don't have time to write this essay on your own?
Use our essay writing service and save your time. We guarantee high quality, on-time delivery and 100% confidentiality. All our papers are written from scratch according to your instructions and are plagiarism free.
Place an order

Cite This Work

To export a reference to this article please select a referencing style below:

APA
MLA
Harvard
Vancouver
Chicago
ASA
IEEE
AMA
Copy to clipboard
Copy to clipboard
Copy to clipboard
Copy to clipboard
Copy to clipboard
Copy to clipboard
Copy to clipboard
Copy to clipboard

Related Essays

Perceiving Machine vs Human Perception

The text provides thoughtful insights into the remarkable capacities of human perception and cognition. It invites humans to appreciate the complexity, adaptability, and innate gifts evolution has instilled in their species after millions of years of gradual neural upgrading. By comparing the still primitive artificial perceiving machines scientists can build today to the fluid intelligence ... Read More
Pages: 4       Words: 1036

Thoughts on Ratifications of the U.S. Constitution

We are in the midst of a critical period in the history of our country because the proposed united states constitution is being mentioned for ratification. To make an educated desire concerning the foreseeable destiny of our great country, it is vital that we, as responsible residents, fully recognize the claims positioned out by using ... Read More
Pages: 4       Words: 889

Adolescence: Exploring the Impact of Diversity and Global Factors on Development

Introduction Citing the positioning of the stage and fragility of the age, adolescence is a crucial stage of development that marks the transition from childhood to adulthood. Adolescents undergo physical, cognitive, and social changes that shape their identity and behavior during this period. During adolescence, someone fully identifies themselves as either male or female as ... Read More
Pages: 7       Words: 1885

Operation Allied Force/Operation Noble Anvil

Operation Allied Force/Operation Noble Anvil was an aerial bombing by NATO against the Federal Republic of Yugoslavia during the Kosovo War. Kosovo, an independent region in Yugoslavia, was faced with the Yugoslavian state and Serbian ethnic-sponsored oppression. In 1996, the Kosovo Liberation Army (KLA) launched its attack against the Serbian police, leading to a Serbian ... Read More
Pages: 4       Words: 966

Strategies for Advocating Nursing Theory as a Framework for Quality Practice

Implementing nursing theory as a framework for quality practice is crucial in the complex and ever-evolving nursing field. Nursing theories provide solid foundation and guide nurses in delivering optimal patient care, promoting positive outcomes, and shaping the profession’s future (Mohamed & Aly, 2023). However, advocating for incorporating nursing theory into the work environment requires strategic ... Read More
Pages: 3       Words: 716

Governing States and Localities

Benefits Associated with this System Federalism is a system of government in which power is divided between a central authority and constituent units, such as states or provinces. This arrangement has benefits and problems that can impact the effectiveness of governance at various levels. One major benefit of federalism is that it allows for diversity ... Read More
Pages: 4       Words: 841
Need a plagiarism free essay written by an educator?
Order it today

Popular Essay Topics