Introduction
Data privacy and protection are the new global standards with the General Data Protection
Regulation (GDPR) implemented by the European Union in 2018. The effectiveness of such a
policy must be judged by its means of success, by the policy judgments of the experts, and by the
policy’s wider moral, political and social dimensions. In this article, we take a look at what
expert assessment would look like, how it can be done, and whether the results would show that
the GDPR was successful in achieving its objectives.
Expert Evaluations of GDPR
Intellectuals have analysed the GDPR from a variety of angles, with successes and failures. Tikk
and Kaska (2019) found that the regulation had effectively ‘brought data privacy to the public’s
awareness and brought in-house requirements for data protection by companies all over the
world. ‘Compliance with GDPR is seen as a precondition for the companies that want to
continue access to European markets, and thus extends the regulation’s reach beyond the EU’ (p
120), they conclude.
But Veale, Binns and Ausloos (2018) point to enforcer-lack gaps as one problem. Even though
the GDPR provides people with very important rights, those rights can’t always be exercised due
to the failure of DPAs to enforce. Countless DPAs are underfunded, and the law is applied
differently in different member states of the EU (p 110). These gaps reduce the efficiency of the
regulation.
In a more general sense, GDPR’s prioritisation of individual rights can in fact harm
technological innovation, Mantelero (2018) writes. That makes one wonder how the regulation
will adapt to allow both privacy and innovation in new technologies such as artificial intelligence
(AI) and big data analytics (p. 756).
Proposed Assessment Framework
If you want to measure the effectiveness of GDPR, there are some things you need to consider in
a model:
1. Compliance Rates: Depending on the percentage of companies that have made GDPR
compliance such as having DPOs and following consent requirements it’s possible to look at
organizational compliance. 2. Enforcement Metrics: Quantifying the number and consequences of enforcement actions
taken by DPAs — fines, penalties, etc. — would reveal GDPR’s practical use case.
3. Public Awareness and Trust: Depending on how many people respond to surveys asking
whether they are aware of their rights, and whether they trust companies to secure their data, the
GDPR could uncover if the law has empowered people as intended.
4. Innovation Impact: Analyzing the regulation’s impact on industries whose business relies on
data analytics can show whether GDPR supports or suppresses innovation.
5. Across Borders Cooperation: Understanding how GDPR has changed the world’s data
privacy laws and helped create transnational data privacy agreements will show that it’s global.
Relationship of Moral, Political and Social Dimensions
The moral, political and social concerns discussed in earlier chapters form part of this judgement.
In moral terms, the GDPR aims to marry privacy with economic and technological innovation.
On a political level, its extraterritorial use has encouraged collaboration and defiance, creating
global data governance. On the social side, GDPR expresses cultural norms of personal rights but
presents problems for small enterprises and cross-border trade.
These consequences contextualise the analysis by setting priorities to weigh trade-offs among
competing priorities – personal freedom, enforcement of laws, innovation. For instance, the
regulation’s strong focus on consent responds to moral issues of good reason in making
decisions, but its cost of implementation can eat up smaller companies. Similarly, given GDPR’s
priority for individuals over public goods (like medical research), flexible solutions based on
society are in order.
Anticipated Findings and Recommendations
The existing literature and methods would indicate a mixed bag. While GDPR has been a
successful awakening and set a common international standard for data privacy, implementation
and unintended consequences such as SMEs costs and innovation choke points remain a
problem. Such problems will need more resources to enforce, more directives to adhere to, and
leeway to balance privacy with other public goods.
Finally, GDPR will only be successful if it is able to respond quickly to new challenges. As
Floridi (2016) points out: “The moral regime such as GDPR will have to change if it is to
continue to cope with the realities of a digital world” (p. 10). We might suggest working closer together between regulators, businesses and civil society to make sure that GDPR is being
achieved and that new challenges are taken up.
Conclusion
We can measure GDPR effectiveness in many ways including compliance, enforcement, public
understanding, innovation impact and global influence. A cross-fertilisation of moral, political
and social ideas reveals the regulation’s merits and limitations. The GDPR has done much to
protect personal rights and impact global data governance, but the future success will depend on
addressing enforcement inequalities, SMEs, and innovation. Combined with these steps, GDPR
can be an excellent set of guidelines to navigate data privacy in the digital world.
References
Floridi, L. (2016). The ethics of information transparency. Ethics and Information Technology,
18(1), 9-11. https://doi.org/10.1007/s10676-016-9404-5.
Mantelero, A. (2018). AI and Big Data: The roadmap for a human rights, social and ethical
impact analysis. Computer Law & Security Review, 34(2), 754-772.
https://doi.org/10.1016/j.clsr.2018.05.017
Tikk, E., & Kaska, K. (2019). What the GDPR means for cybersecurity in Europe and beyond.
Journal of Cyber Policy, 4(2), 117-128. https://doi.org/10.1080/23738871.2019.1658095
: Veale, M., Binns, R., & Ausloos, J. (2018). When data protection by design and data subject
rights get in the way. International Data Privacy Law, 8(2), 105-123.
https://doi.org/10.1093/idpl/ipy002