GDPR and the Right to Privacy

Posted on May 25, 2018

Johanna Schmidt
Johanna Schmidt
Senior Associate, Financials & Real Estate Research

On May 25, 2018, General Data Protection Regulation (GDPR) will enter into force, repealing the 1995 non-legally binding European Union (EU) Data Protection Directive. GDPR enhances European citizens’ right to privacy by enshrining the “right to be forgotten,” establishing concepts like “privacy by design” and by setting aggressive timelines for businesses to report data breaches.

GDPR applies to any company that collects data from EU residents, including firms based outside of Europe. Compliance with the regulation is mandatory and those found non-compliant can be fined up to EUR 20 million, or 4% of a company’s annual turnover (whichever is higher). The preparation for the complex and detailed regulation and the clear assignment of the responsibility for the protections of individuals’ information have resulted in significant costs for companies. The “GDPR doomsday clock” has been widely depicted across the internet, visualizing companies’ anxieties about the new regulation.

Why GDPR matters

GDPR is about much more than just compliance and potential fines. It is about corporate culture, and the awareness and respect for individuals’ right to privacy. Privacy is a fundamental human right, enshrined in the UN Declaration of Human Rights, the International Covenant on Civil and Political Rights and in many other international and regional treaties. In the modern digital age of big data and constant monitoring, privacy has become one of the most important human rights issues.

Yet, the degree to which individuals care, or are aware of their right to privacy and the violations thereof, differ. For instance, a wealth manager’s client may not object to the company collecting data on his private life, such as his wife’s birthday, for the purpose of sending business courtesies to enhance the customer relationship. However, a bank customer may find it unacceptable to receive personalized advertisements from third-parties based on past payment behavior, or an insurance customer may not want their car’s GPS, speed and driving data tracked in order to adjust the terms of their car or accident insurance policies.

The important questions are: what type of data is collected, for what purpose, to what extent do third parties have access to it and how is it processed and protected? Clear and intelligible answers alongside clear contact and complaint mechanisms, as stipulated by the GDPR, enhances clients’ awareness of their rights and the opportunity to exert control over their personal information.

It is important for individuals to understand that they are the only rightful owner of their personal identifiable data; they have the right, as well as the means, to control their data flows; and they are entitled to hold data collectors and processors accountable for how their data is managed. Similar to the right to vote, individuals need to be educated about their privacy rights in order to fully exercise them. They need to understand and own their individual right to privacy and to be forgotten. GDPR and its core concepts strengthen citizens’ awareness that their personally identifiable information belongs to them, and not to the corporation collecting or processing their data.

Furthermore, GDPR establishes the structures for individuals to be able to hold corporations accountable, for instance, by the mandatory assignment of a data protection officer at corporations.

GDPR has the potential to advance society by improving privacy practices at corporations. This will, however, only be possible once it moves from being a complex piece of regulation that companies are struggling to comply with to becoming something ingrained in their processes and ultimately their corporate culture. This shift will take time.

Fines and controversies

Empowering individuals to exercise and control their right to privacy and holding companies accountable are big achievements of GDPR. Since enforcing and controlling its implementation is likely to be a difficult task for the EU, it remains to be seen how fines will be applied.

A recent study found that 40% of UK consumers intend to exercise their data privacy rights in the next six months, following the implementation of GDPR. Financial services, retail and social media companies are most likely to be hit the hardest with personal data requests.

Analysts of GDPR’s impact will be busy in the months and years to come. First, monitoring institutional enforcement, such as fines or warnings of non-compliance, will contribute to assessing the financial impact of the regulation. Second, scrutinizing data breaches and leaks, while evaluating how soon individuals have been informed, will be part of understanding the operational impact. Third, NGO and media reports, and the voices of concerned individuals, privacy defenders and social movements supporting enhanced privacy rights could shed new light on the reputational impact of not having adequate privacy practices in place.

As large-scale controversies, involving massive data collection and high-profile data leaks, shake individuals’ confidence, the importance and understanding of the right to privacy are likely to increase. Companies that do not embrace the core concepts of GDPR, such as integrating transparency and accountability into their privacy practices and embedding the protection of individuals’ right to privacy in their corporate culture, run the risk of incurring financial, operational and reputational damage in the long run.

Recent Content

Physical Climate Risks: 6 Things Portfolio Managers Need to Know

The negative physical impacts of climate change are being felt by communities and corporations globally and are likely to get worse in the coming years. The knock-on costs of more frequent “once-in-a-century” climate events on economies are likely to rise. To prepare for this looming threat, investors must forecast the asset-level effects of climate change on companies in a granular and sophisticated way. Here are six things portfolio managers should know to manage and mitigate the physical risks of climate change to their portfolios and meet growing list of climate-focused reporting requirements.

human rights

Applying Business and Human Rights International Standards to Investor Due Diligence

Socially conscious ESG investors are interested in how to implement international business and human rights norms in their portfolios and understand the potential impacts of applying additional screening criteria within their strategy.

wireless users network outage

Telecom Network Outages, the ESG Risks of a Connected World

The telecom industry is exposed to several Material ESG Issues, including Data Privacy and Security, Business Ethics, Human Capital and Product Governance. Product Governance issues in the telecom industry include service quality, maintaining reliable, high-speed networks, and responding to customer billing concerns.

ESG Risk Data Center

ESG Risks Affecting Data Centers: Why Water Resource Use Matters to Investors

Data centers play a critical role for many technology and telecom companies and for their supporting servers, digital storage equipment and network infrastructure for data processing and storage. Data centers require high volumes of water directly for cooling purposes and indirectly, through electricity generation. Morningstar Sustainalytics’ recent activation of the Resource Use Material ESG Issue (MEI) within its ESG Risk Ratings recognizes water risks of data centers.