GDPR: Is it worth it? Perceptions of workers who have experienced its implementation
2405.10225
72
0
🚀
Abstract
The General Data Protection Regulation (GDPR) remains the gold standard in privacy and security regulation. We investigate how the cost and effort required to implement GDPR is viewed by workers who have also experienced the regulations' benefits as citizens: is it worth it? In a multi-stage study, we survey N = 273 & 102 individuals who remained working in the same companies before, during, and after the implementation of GDPR. The survey finds that participants recognise their rights when prompted but know little about their regulator. They have observed concrete changes to data practices in their workplaces and appreciate the trade-offs. They take comfort that their personal data is handled as carefully as their employers' client data. The very people who comply with and execute the GDPR consider it to be positive for their company, positive for privacy and not a pointless, bureaucratic regulation. This is rare as it contradicts the conventional negative narrative about regulation. Policymakers may wish to build upon this public support while it lasts and consider early feedback from a similar dual professional-consumer group as the GDPR evolves.
Create account to get full access
Overview
- This study investigates how employees view the costs and benefits of implementing the General Data Protection Regulation (GDPR) - a leading privacy and security regulation.
- The researchers surveyed individuals who worked at the same companies before, during, and after GDPR implementation to understand their perspectives.
- The findings suggest that employees recognize the value of GDPR, appreciate the changes it has brought, and view it as beneficial for their companies and for privacy protection.
Plain English Explanation
The General Data Protection Regulation (GDPR) is a set of rules created by the European Union to protect people's personal information. Many companies had to change how they handled data to follow these rules. This study looked at how employees feel about the costs and benefits of implementing GDPR.
The researchers surveyed people who worked at the same companies before, during, and after GDPR was put in place. They wanted to understand if the employees saw GDPR as a good thing or a waste of time and money.
The survey found that the employees recognized their rights under GDPR, but they didn't know much about the government agency that enforces it. They could see that their workplaces made real changes to how they handled data, and the employees appreciated the tradeoffs involved. The employees felt reassured that their personal data was being protected as carefully as their company's client data.
Overall, the people who have to follow and implement GDPR in their jobs actually see it as a positive thing for their companies and for protecting people's privacy. This is surprising, as regulations are often seen as a burden by the people who have to comply with them.
The researchers suggest that policymakers should build on this public support for GDPR as it continues to evolve. They should also consider getting early feedback from a similar group of people who are both professionals and regular citizens when making changes to the regulation.
Technical Explanation
The researchers conducted a multi-stage study to understand how employees view the costs and efforts required to implement the GDPR. They surveyed a total of 375 individuals (N=273 and N=102) who remained working at the same companies before, during, and after the GDPR implementation.
The survey found that while participants recognized their rights when prompted, they had limited knowledge about the regulator responsible for enforcing the GDPR. However, they had observed concrete changes to data practices in their workplaces and appreciated the tradeoffs involved. Importantly, the employees took comfort in the fact that their personal data was handled as carefully as their employers' client data.
Contrary to the common narrative that regulations are burdensome, the researchers found that the very people tasked with complying with and executing the GDPR considered it to be a positive development for their companies and for privacy protection. This rare finding suggests that there is public support for the GDPR, which policymakers may wish to build upon as the regulation continues to evolve.
The researchers recommend that policymakers seek early feedback from a similar dual professional-consumer group as the GDPR undergoes future changes, in order to leverage this knowledge and public support.
Critical Analysis
The study provides valuable insights into how employees perceive the implementation of the GDPR, which is an important perspective that is often overlooked in discussions about the regulation. By surveying individuals who experienced the changes firsthand, the researchers were able to gather nuanced feedback that contradicts the common narrative of regulation being a burden.
However, the study does have some limitations. The sample size, while reasonable, may not be fully representative of all employees affected by the GDPR. Additionally, the researchers acknowledge that the participants' knowledge of the GDPR regulator was limited, which could indicate a need for better public education and awareness efforts.
There is also the question of whether the GDPR is truly "fair" and effective in protecting individual privacy. While the employees in this study expressed positive sentiments, the regulation's long-term impact and unintended consequences deserve further scrutiny and research.
Overall, this study provides a valuable counterpoint to the common criticism of the GDPR and suggests that policymakers should consider the perspectives of those tasked with implementing the regulation when making future decisions.
Conclusion
This study offers an important and often overlooked perspective on the implementation of the GDPR - that of the employees who are responsible for complying with and executing the regulation. Contrary to the common narrative of regulations being burdensome, the researchers found that the people tasked with implementing the GDPR actually view it as a positive development for their companies and for privacy protection.
This rare finding of public support for a major regulation suggests that policymakers should build upon this sentiment as the GDPR continues to evolve. The researchers recommend that policymakers seek early feedback from a similar dual professional-consumer group to better understand the regulation's real-world impact and potential areas for improvement.
By incorporating the perspectives of those directly affected by the GDPR, policymakers can work to ensure that the regulation remains effective, fair, and supported by the people it aims to protect.
This summary was produced with help from an AI and may contain inaccuracies - check out the links to read the original source documents!
Related Papers
🤔
From Brussels Effect to Gravity Assists: Understanding the Evolution of the GDPR-Inspired Personal Information Protection Law in China
Wenlong Li, Jiahong Chen
0
0
This paper explores the evolution of China's Personal Information Protection Law (PIPL) and situates it within the context of global data protection development. It draws inspiration from the theory of 'Brussels Effect' and provides a critical account of its application in non-Western jurisdictions, taking China as a prime example. Our objective is not to provide a comparative commentary on China's legal development but to illuminate the intricate dynamics between the Chinese law and the EU's GDPR. We argue that the trajectory of China's Personal Information Protection Law calls into question the applicability of the Brussels Effect: while the GDPR's imprint on the PIPL is evident, a deeper analysis unveils China's nuanced, non-linear adoption that diverges from many assumptions of the Brussels Effect and similar theories. The evolution of the GDPR-inspired PIPL is not as a straightforward outcome of the Brussels Effect but as a nuanced, intricate interplay of external influence and domestic dynamics. We introduce a complementary theory of 'gravity assist', which portrays China's strategic instrumentalisation of the GDPR as a template to shape its unique data protection landscape. Our theoretical framework highlights how China navigates through a patchwork of internal considerations, international standards, and strategic choices, ultimately sculpting a data protection regime that has a similar appearance to the GDPR but aligns with its distinct political, cultural and legal landscape. With a detailed historical and policy analysis of the PIPL, coupled with reasonable speculations on its future avenues, our analysis presents a pragmatic, culturally congruent approach to legal development in China. It signals a trajectory that, while potentially converging at a principled level, is likely to diverge significantly in practice [...]
6/13/2024
Evaluating Privacy Perceptions, Experience, and Behavior of Software Development Teams
Maxwell Prybylo, Sara Haghighi, Sai Teja Peddinti, Sepideh Ghanavati
0
0
With the increase in the number of privacy regulations, small development teams are forced to make privacy decisions on their own. In this paper, we conduct a mixed-method survey study, including statistical and qualitative analysis, to evaluate the privacy perceptions, practices, and knowledge of members involved in various phases of the Software Development Life Cycle (SDLC). Our survey includes 362 participants from 23 countries, encompassing roles such as product managers, developers, and testers. Our results show diverse definitions of privacy across SDLC roles, emphasizing the need for a holistic privacy approach throughout SDLC. We find that software teams, regardless of their region, are less familiar with privacy concepts (such as anonymization), relying on self-teaching and forums. Most participants are more familiar with GDPR and HIPAA than other regulations, with multi-jurisdictional compliance being their primary concern. Our results advocate the need for role-dependent solutions to address the privacy challenges, and we highlight research directions and educational takeaways to help improve privacy-aware SDLC.
6/11/2024
Privacy Requirements and Realities of Digital Public Goods
Geetika Gopi, Aadyaa Maddi, Omkhar Arasaratnam, Giulia Fanti
0
0
In the international development community, the term digital public goods is used to describe open-source digital products (e.g., software, datasets) that aim to address the United Nations (UN) Sustainable Development Goals. DPGs are increasingly being used to deliver government services around the world (e.g., ID management, healthcare registration). Because DPGs may handle sensitive data, the UN has established user privacy as a first-order requirement for DPGs. The privacy risks of DPGs are currently managed in part by the DPG standard, which includes a prerequisite questionnaire with questions designed to evaluate a DPG's privacy posture. This study examines the effectiveness of the current DPG standard for ensuring adequate privacy protections. We present a systematic assessment of responses from DPGs regarding their protections of users' privacy. We also present in-depth case studies from three widely-used DPGs to identify privacy threats and compare this to their responses to the DPG standard. Our findings reveal limitations in the current DPG standard's evaluation approach. We conclude by presenting preliminary recommendations and suggestions for strengthening the DPG standard as it relates to privacy. Additionally, we hope this study encourages more usable privacy research on communicating privacy, not only to end users but also third-party adopters of user-facing technologies.
6/26/2024
Data Privacy Vocabulary (DPV) -- Version 2
Harshvardhan J. Pandit, Beatriz Esteves, Georg P. Krog, Paul Ryan, Delaram Golpayegani, Julian Flake
0
0
The Data Privacy Vocabulary (DPV), developed by the W3C Data Privacy Vocabularies and Controls Community Group (DPVCG), enables the creation of machine-readable, interoperable, and standards-based representations for describing the processing of personal data. The group has also published extensions to the DPV to describe specific applications to support legislative requirements such as the EU's GDPR. The DPV fills a crucial niche in the state of the art by providing a vocabulary that can be embedded and used alongside other existing standards such as W3C ODRL, and which can be customised and extended for adapting to specifics of use-cases or domains. This article describes the version 2 iteration of the DPV in terms of its contents, methodology, current adoptions and uses, and future potential. It also describes the relevance and role of DPV in acting as a common vocabulary to support various regulatory (e.g. EU's DGA and AI Act) and community initiatives (e.g. Solid) emerging across the globe.
4/23/2024