"It may be a pain in the backside but..." Insights into the impact of GDPR on business after three years

The General Data Protection Regulation (GDPR) came into effect in May 2018 and is designed to safeguard EU citizens' data privacy. The benefits of the regulation to consumers' rights and to regulators' powers are well known. The benefits to regulated businesses are less obvious and under-researched. The aim of this study is to investigate if GDPR is all pain and no gain for business. Using semi-structured interviews, we survey 14 C-level executives responsible for business, finance, marketing, legal and technology drawn from six small, medium and large companies in the UK and Ireland. We find the threat of fines has focused the corporate mind and made business more privacy aware. Organisationally, it has created new power bases within companies to advocate GDPR. It has forced companies, in varying degrees, to modernise their platforms and indirectly benefited them with better risk management processes, information security infrastructure and up to date customer databases. Compliance, for some, is used as a reputational signal of trustworthiness. We find many implementation challenges remain. New business development and intra-company communication is more constrained. Regulation has increased costs and internal bureaucracy. Grey areas remain due to a lack of case law. Disgruntled customers and ex-employees weaponise Subject Access Requests (SAR) as a tool of retaliation. Small businesses see GDPR as overkill and overwhelming. We conclude GDPR may be regarded as a pain by business but it has made it more careful with data. We recommend the EU consider tailoring a version of the regulation that is better suited to SMEs and modifying the messaging to be more positive whilst still exploiting news of fines to reinforce corporate data discipline.