Authors:
(1) Gerard Buckley, University College London, UK ([email protected]);
(2) Tristan Caulfield, University College London, UK ([email protected]);
(3) Ingolf Becker, University College London, UK ([email protected]).
Table of Links
-
Literature Review
3.1 Consumer awareness and knowledge of the regulation
3.2 Consumer awareness and knowledge of the regulator
3.3 Consumer perceptions of privacy
3.4 Business response to Data Protection regulation
3.5 Employee awareness of their employer’s Data Protection regulator
3.6 Employee perception of benefit of the GDPR to their employer
3.7 The research goal is the consumer/employee perception of the GDPR
-
Methods
-
Analysis and Results
5.3 Hypothesis 2: Consumers lack awareness and knowledge about the regulator
5.4 Hypothesis 3: Consumers feel their privacy is better since GDPR was introduced
5.5 Hypothesis 4: Companies have responded to GDPR and made changes
5.6 Hypothesis 5: Employees lack awareness of the GDPR regulator at work
5.7 Hypothesis 6: Employees have seen little benefits to their company from GDPR
-
Discussion and 6.1 High consumer awareness and knowledge of the GDPR
6.2 Respondents lacked a formed opinion and 6.3 GDPR has driven changes
6.4 Perceptions of privacy have improved and 6.5 The profile of the regulator may not matter
-
Conclusion, Funding and Disclosure Statement, and References
ABSTRACT
The General Data Protection Regulation (GDPR) remains the gold standard in privacy and security regulation. We investigate how the cost and effort required to implement GDPR is viewed by workers who have also experienced the regulations’ benefits as citizens: is it worth it? In a multi-stage study, we survey N = 273 & 102 individuals who remained working in the same companies before, during, and after the implementation of GDPR. The survey finds that participants recognise their rights when prompted but know little about their regulator. They have observed concrete changes to data practices in their workplaces and appreciate the trade-offs. They take comfort that their personal data is handled as carefully as their employers’ client data. The very people who comply with and execute the GDPR consider it to be positive for their company, positive for privacy and not a pointless, bureaucratic regulation. This is rare as it contradicts the conventional negative narrative about regulation. Policymakers may wish to build upon this public support while it lasts and consider early feedback from a similar dual professional-consumer group as the GDPR evolves.
1 INTRODUCTION
People who were employed before May 2018 and who are still employed by the same organisation will have experienced the impact of the GDPR on their workplace firsthand. They both implement it as employees and benefit from it as consumers. The goal of this study is to understand the unique dual perspective of this group.
The GDPR has been studied from multiple points of view. It ranges from the implementation challenges business face [10, 37] to the enforcement issues Data Protection Authorities (DPA) face [11, 24, 33, 43] to the operational realities that consumers face [36]. The European Commission (EC) and professional services firms have surveyed consumers’ awareness of their rights and businesses’ awareness of their obligations. In academia, there have been reactance studies [45] and comparative awareness studies across Europe [42]. Unlike previous perception studies that focused solely on consumers or data professionals, this is the first empirical research into how these informed individuals perceive the cost-benefit of their rights as consumers balanced against the pressures they see it places on their employer to support those rights. Hence our research question—GDPR: Is it worth it?
To exercise their rights, consumers need to be aware, to some extent, of the regulator’s identity, role, and powers. The EC [7, 21, 30, 41] and some DPAs have conducted consumer awareness and confidence surveys but we find little evidence of systematic overt publicity campaigns. We test if our informed citizens know who their regulator is and what they expect of them.
Most business-focused coverage of the GDPR in the media concentrates on data breaches and regulators’ fines [11, 49, 53]. It stresses the deterrence effects of the GDPR sanctions at the expense of any incentive to change or upside for business. If the point of privacy regulation is behaviour change [13, 46], measuring it is difficult. Available data, such as the number of fines, delivers a highly imperfect and incomplete picture of compliance within companies. Instead, we test what GDPR-driven changes have been observed by our respondents within their organisation and if they believe these changes have been net-positive.
At the end of the survey, after making our respondents consider the GDPR from multiple angles, we ask if they feel the GDPR has been worth it. Their answer is important because it cuts to the heart of privacy in the digital age. Without data protection, citizens will arguably be exposed to more profiling, monitoring and mass influencing by digital advertisers and/or the state. We find the informed citizen-consumer does buy into the GDPR, with all its positives and negatives. This has important implications for policymakers and regulators who may wish to learn how to emulate this public support and build on it for future regulation roll-outs.
2 BACKGROUND TO THE GDPR
This section does not aim to give a detailed description of the GDPR. Rather, we focus on the big themes and provide summaries of provisions that are relevant to our area of interest. For a more fundamental introduction, please see Voigt & Bussche 2017 or Hoofnagle et al. 2019. Bear in mind that despite Brexit, the UK GDPR is essentially equivalent to the EU GDPR [20].
Europe has long recognised privacy as a fundamental or human right. Article 8 of the European Convention on Human Rights provides a right to respect for one’s ‘private and family life, his home and his correspondence’, subject to certain restrictions that are ‘in accordance with law’ and ‘necessary in a democratic society’ [18]. In contrast, the Constitution of the United States and the United States Bill of Rights do not explicitly contain a right to privacy. Instead, there is an implied right to privacy derived from penumbras of other explicitly stated constitutional protections [14, 48].
While much of the focus of US law is the home, EU law has taken a wider approach. Where U.S. law may refer broadly to ‘privacy’ or to ‘information privacy’, EU law discusses information privacy as ‘data protection’. In Europe, data protection and the right to privacy are beginning to be viewed as separate. Data protection focuses on the usage, storage and movement of data while privacy preserves the Athenian concept of private and public life [27].
Under the GDPR, companies that use personal data have to follow strict rules called ‘data protection principles’. They must make sure the information is: used fairly, lawfully and transparently; used for specified, explicit purposes; used in a way that is adequate, relevant and limited to only what is necessary; accurate and, where necessary, kept up to date; kept for no longer than is necessary; handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage; There is stronger legal protection for more sensitive information, such as race, religion, etc [28].
Under the GDPR, individuals have the right to find out what information the government and other organisations store about them. These include the right to: be informed about how their data is being used; access personal data; have incorrect data updated; have data erased; stop or restrict the processing of their data; data portability (allowing individuals to get and reuse their data for different services); object to how their data is processed in certain circumstances; Individuals also have rights when an organisation is using their personal data for: automated decision-making processes (without human involvement); profiling, for example to predict behaviour or interests [28].
The direction of these rules is clear: companies will have to take more responsibility for the information they handle and hold, and individuals will be empowered to gain more control over their own data. The following literature review will survey prior works on these two topics and their interplay.
This paper is