The European General Data Protection Regulation and Competitiveness of Firms.

Author:Bandyopadhyay, Soumava


The European Union's (EU) General Data Protection Regulation (GDPR) has gone into effect from May 25, 2018. The GDPR has created a new set of standardized rules for consumer protection and is designed to ensure privacy and data minimization (Kho, 2018). It is the strictest and most comprehensive consumer data protection law in the world. The GDPR was adopted by the European Parliament in April, 2016 (to be effective from May 25, 2018) and replaces the EU Data Protection Directive of 1995 (Rotenberg & Jacobs, 2013; Kho, 2018). The previous law was codified at a time when less than 1% of Europeans used the internet (Kho, 2018). By 2017, the internet's penetration in the EU soared to over 85 percent (Internet World Stats, 2018). As the number of internet users and e-commerce has grown, companies have increased the amount of information they have gathered from consumers. Marketers across the board now collect detailed individual-level information to profile consumers and increase the efficiency and effectiveness of their marketing strategies. It is now virtually impossible for consumers to transact business online without having to reveal personal information (Rust, Kannan, & Peng, 2002). In addition, consumers' personal information can be obtained involuntarily by the use of cookies that track people's online surfing behavior (Pierson & Heyman, 2011). Vast amounts of individual information can be very easily collected over the Internet and digital networks can link all this private information in databases (Caruso, 1998). This information can then be bought, sold, and traded, possibly without the consumers' permission, which increases consumers' concerns regarding having to reveal personal information online and the way in which such information might be used (Yao, Rice, & Wallis, 2007; Ohm, 2010; Fletcher, 2003). Such concerns range from the intrusion of one's privacy and being targeted with unsolicited advertisements to potential hassles resulting from online identity theft. Against this backdrop, Europe has tried to do its best to stay on the forefront of data privacy and the EU announced in 2012 that it would work toward a revised unified data protection policy for all member states (Rotenberg & Jacobs, 2013; Kho, 2018). The GDPR has been the final outcome of the effort to protect all EU citizens from privacy and data breaches in an increasingly data-driven world (, 2018) and it has profound implications on how companies handle consumer data.

The purpose of this paper is to examine the key provisions of the GDPR and to assess its impact on firms. We will explore how corporate actions will need to be modified, the challenges to compliance, and the eventual impact on firm competitiveness.


The GDPR specifies six general data protection principles: fairness and lawfulness, purpose limitation, data minimization, accuracy, storage limitation, and integrity and confidentiality (Goddard, 2017). These principles translate into the following key provisions (Rotenberg & Jacobs, 2013; Goddard, 2017; Alvarez, 2017; McCallister, Zanfir-Fortuna, & Mitchell, 2018; Kho, 2018;, 2018):

1) Privacy by design: Measures to protect personal data must be included from the onset of designing of systems, rather than an afterthought.

2) Data minimization: Data controllers at firms must collect, hold, and process only the amount of personal data that is consented and absolutely necessary to achieve a specific purpose. It should also be stored only as long as necessary. Consent of the person whose personal data is involved must be obtained in written, electronic, or verbal form (rather than implied consent), and that consent can be withdrawn at any time.

3) Breach notification: In the event of the occurrence of a personal data breach, companies must notify the supervising authority in a member state of the breach within 72 hours of becoming aware of the event. If that time frame is not met, a reasonable justification of the delayed notification must be given. The impacted individuals must also be notified "without delay." An exemption from such notification is granted if the breach is not likely to result in a risk to the rights and freedoms of individuals.

4) Appointment of Data Protection Officer (DPO): Organizations that handle large amounts of personal data are required to appoint a Data Protection Officer (DPO) who will be responsible for overseeing the firm's data protection strategy and implementation and ensure compliance with GDPR requirements.

The key provisions described above translate into the following rights...

To continue reading