Economic Integration in the European Union

According to Christensen, Colciago, Etro, and Rafert (2013), regulation and policymaking at the centralized level where several nations are unified such as the European Union need a critical balance between cross-country spillovers and the benefits related with harmonization of policies. Furthermore, the costs associated with the countries' heterogeneous preferences is another essential factor that needs to be taken into consideration. Internalization of these issues helps in conducting a cost and benefit analysis regarding the decisions made by regional organisations. The emerging debate concerning the recent regulation on data protection by the EU is an interesting example that describes the regulation and policymaking phenomenon at centralized level (Christensen et al., 2013). The new regulation policies introduce rules that aim at protecting individuals from the illegal processing of personal data. However, the complex regulatory framework proposed by the EU has been projected to have a significant impact on small and medium-sized businesses in terms of costs associated and compliance requirements. This paper presents a proposal for a project that will seek to investigate the impact of the new regulations on SMEs.

Research Question

What is the impact of the EU General Data Protection Regulation (GDRP) on small and medium-sized businesses?

What processes need to be put in place for SMEs to comply with GDRP?

Literature Review

The Proposed Policy Frameworks for Regulating Data Protection in the EU

London Economics (2013) noted that the proposed framework for the new regulations was drafted in two EU documents. The first document entailed a draft Regulation that is “binding in its entirety and directly applicable in all Member States” (London Economics, 2013, p. 13). The second document, the draft Directive, would bound all members by the outcomes of legislation but the method of implementation and chose of form were left at the discretion of the national authorities. The proposed Regulation introduces several changes to the current law of data protection including updated and new definitions as well as a raised standard for obtaining consent (Hustinx, 2013). Under Article 4, key terms such as data controller and data subject have been modified to refer to possible "online identifiers" including cookie identifiers and IP addresses. Additionally, the new regulatory framework requires one to obtain consent "in the context of a written declaration” (London Economics, 2013, p. 15). Besides complying, Article 22 of new regulatory law also requires data controllers to demonstrate compliance through various forms such as assessments of data protection impact and maintaining documentation (Hustinx, 2013).

Impact of the GDRP on SMEs

The surging discussions in the public space regarding GDRP revolve around both positive and negative effects of its implementation. London Economics (2013) observed that in light of the estimates by EU's Impact Assessment, the proposals will see a significant reduction in businesses' administrative burdens by 2.3 billion euros annually. London Economics (2013, p. 19) further noted: "This entails a saving of 2.5 billion euros from the harmonization of data protection laws across the EU Member States." Moreover, the Impact Assessment projected that there will no additional compliance costs for businesses due to the requirement of adding professional data protection officer (DPO) in the management.

However, several studies and surveys conducted among EU-based SMEs reveal that there will be serious negative effects when the new rules come into force. According to Christensen et al. (2013), the effect of GDRP on UK-based SMEs will be hugely realized through compliance processes. There is a number of challenges posed to small firms in light of compliance with GDRP. First, there will be concerns regarding the procedures for data protection and the design for systems (de Hert & Papakonstantinou, 2016). The proposed regulation stipulates that businesses must come up with data management systems with greater flexible features such as data portability and options for subjects to access personal data in an electronic format. Secondly, small businesses with 250 employees or more will have challenges identifying a DPO, who must be incorporated in the management according to the new regulation (Blume, 2016). The data processor and data controller will be required to assess the activities of the DPOs to ensure that they maintain documentation of data processing activities in their respective firms.

On March 6th, 2012, the Ministry of Justice (MoJ) sought to investigate the anticipated effects of the draft Regulation through a study dubbed as “Call for Evidence” (London Economics, 2013). Having explored figures from the EC Impact Assessment and surveys, MoJ found that the Regulation would raise the net cost for businesses from 80 million euros to about 320 million euros every year (London Economics, 2013). The increase in net cost will be mainly attributed to the compliance costs. In a nutshell, the new directive mean additional overhead for SMEs. For advertisers, the idea developed in the proposed law that they must secure consent for their ads is not practical (Forrester, 2017). The process of preserving, obtaining, and even implementing consent will be burdening to advertisers since many ad personalizations utilize cases.

Cost-Effective Compliance with GDRP

According to GDRP, data protection is legal obligation either by default or by design. de Hert and Papakonstantinou (2016) stated that businesses have efficient time to adapt to the new security requirements introduced by GDRP. Early preparation is one of the strategies that SMEs can use to avoid costs related to compliance and operations. According to Blume (2016), businesses will have to examine their entire security landscape in a bid to understand the areas that need modification based on the requirements of the new regulations. To maintain the costs in the process of complying with GDRP, London Economics (2013) recommended a gradual installation of a combination of preventative, detective, reactive, and proactive security controls. Every area of IT infrastructure should be grounded on privacy protection.

Christensen et al. (2013) suggested for effective utilization of the “one-stop-shop” principle by businesses proposed in the new legislation to reduce compliance costs. The principle advocate for employing data processors and data controllers that operate in the EU countries and regulated by central authority. However, this does not apply in the case of cloud computing providers that are both data processors and data controllers located in non-EU countries. Such firms must internal IT systems with collaborative technology designed to around actionable threat intelligence, open API standards, and interconnected security. According to Christensen et al. (2013), the systems of non-EU cloud computing providers must have security configuration points, data warehouse support, and system data sets. The mainframe data should be connected to the data centre to enable the subjects and casual users to access their personal data with ease as required by the new regulations.

Strategies for vendor and Partner Selection

Chen and Zhao (2012) postulated that the obligations of a business towards data security and privacy extends to the management of the data by the vendors. Following the introduction of more strict rules in the new Regulation, companies and vendors are required to establish strategies that will see their relationship is embedded in adherence to the law. Businesses should conduct security and privacy due diligence in selection of vendors. The amount of data accessible to the vendors should be limited. The third-party service provider and the firm need to maintain good governance of information including data retention, data mapping, and destruction of protocols.

Methodology

Qualitative research design will be used in the proposed study to reach the expected goals and objectives. The choice of the design is informed by its ability to gain familiarity and insights for a particular phenomenon through the opinions and reasoning of individuals. Qualitative research design will be preferred over quantitative approach because of the nature of the proposed study that seeks to examine the contextual understandings of the new Regulation. The quantitative approach seeks to quantify a problem, which is a different objective for the proposed study. The primary data will be collected through structured and semi-structured questionnaires which will be administered to 76 participants who will comprise of small business owner based in the UK. The researcher will also conduct interviews to gain deeper insights and opinions regarding the impact of the GDRP on small-scale businesses. The secondary data will be obtained from recent studies and reports addressing the research topic.

Foreseen Limitations

The researcher will likely experience several challenges that will limit the scope of the study. One of the anticipated challenges is the difficulty to assemble all the responses from the participants due to compliance issues. Also, due to the busy schedules of some of the respondents, it will be difficult for the researcher to obtain critical information through interviews. To mitigate these shortcomings, the researcher will post the questionnaires and interview questions online for the respondents to answer and forward them with ease. Additionally, the researcher will allow flexibility in the conduct of the study and conduct interviews outside the workplaces or organisational settings.

Feasibility of the study

To explore the feasibility of the proposed study, the researcher will carry out semi-structured telephone interviews with the local business owners. The results of the pilot study will be analysed and used to determine whether the proposed project will be viable. The pilot study will test the willingness of the various SME stakeholders to discuss the underlying issues concerning the proposed regulations. Furthermore, the feasibility study will enable the researcher to predict the cost and time of the project. Potential problems and challenges associated with data collection will be identified. The researcher will develop measures to counter the expected problems.

Research Schedule

Activity

Estimated Timeframe

Develop research questions, objectives, and goals

3 days

Design the research protocol

4 days

Identify and adapt the research instruments

1 week

Recruitment of the respondents and interviewers

3 weeks

Online orientation of the participants

1 week

Data collection

2-4 days per study site

Transcription and translation of data

2 weeks

Analysis of collected data

1 week

Presentation of the results

2 days

Report preparation

1 week

References

Blume, P. (2016). Impact of the EU General Data Protection Regulation on the public sector. Journal of Data Protection & Privacy, 1(1), 53-63.

Chen, D., & Zhao, H. (2012, March). Data security and privacy protection issues in cloud computing. In Computer Science and Electronics Engineering (ICCSEE), 2012 International Conference on (Vol. 1, pp. 647-651). IEEE.

Christensen, L., Colciago, A., Etro, F., & Rafert, G. (2013). The impact of the data protection regulation in the eu. Intertic Policy Paper, Intertic. Accessed March 22, 2018, http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.657.138&rep=rep1&type=pdf

de Hert, P., & Papakonstantinou, V. (2016). The new General Data Protection Regulation: Still a sound system for the protection of individuals?. Computer Law & Security Review, 32(2), 179-194.

Forrester. (2017). Digital Advertising and Marketing under GDPR: A Question of how, not if. Forbes. Accessed March 22, 2018, https://www.forbes.com/sites/forrester/2017/12/12/digital-advertising-and-marketing-under-gdpr-a-question-of-how-not-if/#13ea5e4b3b98

Hustinx, P. (2013). EU data protection law: The review of directive 95/46/EC and the proposed general data protection regulation. Collected courses of the European University Institute’s Academy of European Law, 24th Session on European Union Law, 1-12.

London Economics. (2013). Implications of the European Commission’s Proposal for a General Data Protection Regulation for Business. Final Report to the Information of Commissioner’s Office. London, UK. London Economics.