The purpose of this paper is to examine the key provisions of the GDPR and to assess its impact on firms. We will explore how corporate actions will need to be modified, the challenges to compliance, and the eventual impact on firm competitiveness.
KEY PROVISIONS OF THE GDPR
The GDPR specifies six general data protection principles: fairness and lawfulness, purpose limitation, data minimization, accuracy, storage limitation, and integrity and confidentiality (Goddard, 2017). These principles translate into the following key provisions (Rotenberg & Jacobs, 2013; Goddard, 2017; Alvarez, 2017; McCallister, Zanfir-Fortuna, & Mitchell, 2018; Kho, 2018; EUGDPR.org, 2018):
1) Privacy by design: Measures to protect personal data must be included from the onset of designing of systems, rather than an afterthought.
2) Data minimization: Data controllers at firms must collect, hold, and process only the amount of personal data that is consented and absolutely necessary to achieve a specific purpose. It should also be stored only as long as necessary. Consent of the person whose personal data is involved must be obtained in written, electronic, or verbal form (rather than implied consent), and that consent can be withdrawn at any time.
3) Breach notification: In the event of the occurrence of a personal data breach, companies must notify the supervising authority in a member state of the breach within 72 hours of becoming aware of the event. If that time frame is not met, a reasonable justification of the delayed notification must be given. The impacted individuals must also be notified "without delay." An exemption from such notification is granted if the breach is not likely to result in a risk to the rights and freedoms of individuals.
4) Appointment of Data Protection Officer (DPO): Organizations that handle large amounts of personal data are required to appoint a Data Protection Officer (DPO) who will be responsible for overseeing the firm's data protection strategy and implementation and ensure compliance with GDPR requirements.
The key provisions described above translate into the following rights...