GDPR and the Right to Privacy

Posted on May 25, 2018

Johanna Schmidt
Johanna Schmidt
Senior Associate, Financials & Real Estate Research

On May 25, 2018, General Data Protection Regulation (GDPR) will enter into force, repealing the 1995 non-legally binding European Union (EU) Data Protection Directive. GDPR enhances European citizens’ right to privacy by enshrining the “right to be forgotten,” establishing concepts like “privacy by design” and by setting aggressive timelines for businesses to report data breaches.

GDPR applies to any company that collects data from EU residents, including firms based outside of Europe. Compliance with the regulation is mandatory and those found non-compliant can be fined up to EUR 20 million, or 4% of a company’s annual turnover (whichever is higher). The preparation for the complex and detailed regulation and the clear assignment of the responsibility for the protections of individuals’ information have resulted in significant costs for companies. The “GDPR doomsday clock” has been widely depicted across the internet, visualizing companies’ anxieties about the new regulation.

Why GDPR matters

GDPR is about much more than just compliance and potential fines. It is about corporate culture, and the awareness and respect for individuals’ right to privacy. Privacy is a fundamental human right, enshrined in the UN Declaration of Human Rights, the International Covenant on Civil and Political Rights and in many other international and regional treaties. In the modern digital age of big data and constant monitoring, privacy has become one of the most important human rights issues.

Yet, the degree to which individuals care, or are aware of their right to privacy and the violations thereof, differ. For instance, a wealth manager’s client may not object to the company collecting data on his private life, such as his wife’s birthday, for the purpose of sending business courtesies to enhance the customer relationship. However, a bank customer may find it unacceptable to receive personalized advertisements from third-parties based on past payment behavior, or an insurance customer may not want their car’s GPS, speed and driving data tracked in order to adjust the terms of their car or accident insurance policies.

The important questions are: what type of data is collected, for what purpose, to what extent do third parties have access to it and how is it processed and protected? Clear and intelligible answers alongside clear contact and complaint mechanisms, as stipulated by the GDPR, enhances clients’ awareness of their rights and the opportunity to exert control over their personal information.

It is important for individuals to understand that they are the only rightful owner of their personal identifiable data; they have the right, as well as the means, to control their data flows; and they are entitled to hold data collectors and processors accountable for how their data is managed. Similar to the right to vote, individuals need to be educated about their privacy rights in order to fully exercise them. They need to understand and own their individual right to privacy and to be forgotten. GDPR and its core concepts strengthen citizens’ awareness that their personally identifiable information belongs to them, and not to the corporation collecting or processing their data.

Furthermore, GDPR establishes the structures for individuals to be able to hold corporations accountable, for instance, by the mandatory assignment of a data protection officer at corporations.

GDPR has the potential to advance society by improving privacy practices at corporations. This will, however, only be possible once it moves from being a complex piece of regulation that companies are struggling to comply with to becoming something ingrained in their processes and ultimately their corporate culture. This shift will take time.

Fines and controversies

Empowering individuals to exercise and control their right to privacy and holding companies accountable are big achievements of GDPR. Since enforcing and controlling its implementation is likely to be a difficult task for the EU, it remains to be seen how fines will be applied.

A recent study found that 40% of UK consumers intend to exercise their data privacy rights in the next six months, following the implementation of GDPR. Financial services, retail and social media companies are most likely to be hit the hardest with personal data requests.

Analysts of GDPR’s impact will be busy in the months and years to come. First, monitoring institutional enforcement, such as fines or warnings of non-compliance, will contribute to assessing the financial impact of the regulation. Second, scrutinizing data breaches and leaks, while evaluating how soon individuals have been informed, will be part of understanding the operational impact. Third, NGO and media reports, and the voices of concerned individuals, privacy defenders and social movements supporting enhanced privacy rights could shed new light on the reputational impact of not having adequate privacy practices in place.

As large-scale controversies, involving massive data collection and high-profile data leaks, shake individuals’ confidence, the importance and understanding of the right to privacy are likely to increase. Companies that do not embrace the core concepts of GDPR, such as integrating transparency and accountability into their privacy practices and embedding the protection of individuals’ right to privacy in their corporate culture, run the risk of incurring financial, operational and reputational damage in the long run.

Recent Content

automotive production in Ukraine

ESG Implications of Russia’s Invasion of Ukraine on the Automotive Industry

The Russia-Ukraine conflict has put more pressure on a sector that was already constrained by the disrupted supply chains, brought about by pandemic-induced congestions and shortages. Additionally, the surge in fuel price is already affecting customers, although it may accelerate the adoption of electric vehicles (EVs) as a side effect. However, the scarcity of minerals, which are necessary for semiconductor manufacturing, may further exacerbate the chip shortage that has afflicted the automotive industry since 2020.

diverse patients waiting

Addressing ESG Risk in a Shifting Landscape for Clinical Trial Diversity

Low diversity in clinical trials increases the risk of unforeseen side effects, only discovered after the drug hits the market, exposing patients to harm and companies to litigation.

Russia-Ukraine Crisis Could Spell Unforeseen ESG Risks for Insurers

Russia-Ukraine Crisis Could Spell Unforeseen ESG Risks for Insurers

The Russia-Ukraine conflict and the subsequent sanctions on Russian entities have led to material and wide-ranging impacts on diversified sectors and international firms. However, company disclosures and other sources suggest that the conflict’s primary impact on the global insurance industry is limited for two main reasons

aviation in Ukraine ESG

ESG Implications of Russia’s Invasion of Ukraine on the Aviation and Defense Sectors

The aviation industry is feeling the impact of rising fuel costs as an immediate repercussion of the conflict in Ukraine. In particular, the airline sector is still facing significant challenges in mounting a steady recovery from the COVID-19 crisis. On the other hand, the defense industry may be presented with opportunities in light of increased government spending in the aftermath of the invasion.