How the GDPR Compares to Best Practices for Privacy, Accountability and Trust

23 Pages Posted: 31 Mar 2017 Last revised: 8 Sep 2017

See all articles by Roslyn Layton

Roslyn Layton

Aalborg University, Department of Electronic Systems, Center for Communication, Media and Information Technologies

Date Written: March 31, 2017

Abstract

The European Commission’s General Data Protection Regulation (GDPR) encompasses perhaps the most monumental pan-European regulation in the last decade and may well become a de facto world standard. The regulation is described as a means to regulate the processing of personal data, the protection of which is a fundamental EU right. The regulation declares, “The processing of personal data should be designed to serve mankind.” The European Commission states that the goals are to give users control of their data and to ease the ability to conduct business. The paper reflects a preliminary investigation to whether and to what degree the choice of instruments of the GDPR conform to the European Union’s research and best practices found in the report “Privacy, Accountability and Trust- Challenges and Opportunities” by the European Union Agency for Network and Information Security (ENISA).

The GDPR consists of a set of provisions including Consent, Right to Object to Profiling, Data Portability, Right to be Forgotten/Erasure, One Stop Shop for Privacy Compliance, Data Protection Officers, Data Breach Notification, and Punishments. Meanwhile the four inputs to maximize privacy as defined by ENISA are (1) the user’s knowledge of online privacy, (2) the technology design, (3) the practices of providers, and (4) the institutions governing the system. The investigation shows that there is a deficiency between the provisions and instruments of the GDPR and the inputs recommended by ENISA. While the GDPR stipulates strict regulation (4) and mandates specific business practices (3), it does not discuss how to improve the users’ knowledge of privacy and privacy enhancing behaviors (1), which the Eurobarometer reports are low. This omission is notable as the GDPR claims its key goal is to give users control of their data and to create trust in the society so that the digital economy can grow. Moreover, technology design (2) gets only a brief mention in a paragraph about privacy by design and default. This paper investigates the discrepancy between best practices and policymakers’ choices and proposes some explanations based upon the literature.

Keywords: GDPR, online privacy, regulation, data protection, European Union, privacy by design, regulatory behavior and performance

JEL Classification: B41, D70, D71, D72, D73, D74, B41, D78, K20, L51

Suggested Citation

Layton, Roslyn, How the GDPR Compares to Best Practices for Privacy, Accountability and Trust (March 31, 2017). Available at SSRN: https://ssrn.com/abstract=2944358 or http://dx.doi.org/10.2139/ssrn.2944358

Roslyn Layton (Contact Author)

Aalborg University, Department of Electronic Systems, Center for Communication, Media and Information Technologies ( email )

A.C. Meyers Vænge 15
Frederikskaj Bldg., 3rd Floor
Copenhagen, 2450
Denmark
+45 9940 3641 (Phone)

HOME PAGE: http://https://vbn.aau.dk/en/persons/roslyn-mae-layton

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
1,456
Abstract Views
6,525
Rank
26,816
PlumX Metrics