A Social Economic Analysis of the Impact of GDPR on Security and Privacy Practices

Roslyn Mae Layton, Silvia Elaluf-Calderwood

Publikation: Bidrag til bog/antologi/rapport/konference proceedingKonferenceartikel i proceedingForskningpeer review

10 Citationer (Scopus)


The General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have been presented by many policymakers as fundamental, welfare enhancing policies. While individuals value privacy, these policies require significant up front and ongoing investment by firms. For example, an analysis commissioned by the California Department of Justice's Office of the Attorney General estimates 14:1 cost to benefit ratio. No such analysis could be found from EU authorities for the GDPR. Sweeping regulatory regimes can create unintended consequences. This paper offers a brief introduction to the new cybersecurity challenges created by the GDPR and CCPA within firms and in the larger Internet ecosystem. As a result of the regulation, firms face many challenges to comply with costly and complex rules, broad definitions of personally identifiable information (PII), and increased risk of fee and/or lawsuit for violations, vulnerabilities, and lack of compliance. Since the promulgation of the GDPR, important security side effects have reported including the blocking of public information in the WHOIS internet protocol database, identity theft through the hacking of the Right to Access provision (Article 15) and other provisions, and the proliferation of network equipment with security and privacy vulnerabilities. The paper also offers a brief overview of the Gordon-Loeb (GL) model used for calculating the optimal investment in cybersecurity. [1] A preliminary data set is offered to examine the difficulty of estimating the cost of cybersecurity investment in light of the GDPR. Notably, the value of the European Union's data economy was estimated to be €300 billion in 2016 [2]. The given GL model would suggest that the optimal investment to protect data would be €13.2 billion. The actual European cyber spend was some €15 billion in 2015, [3] a slightly higher number which covers the EU plus additional European countries, suggesting that the GL model some applicability. There are limited GL type models and tools to guide data protection or privacy investments, and given the emergence of new data protection expectations, it is worth investigating how and whether firms can deliver both sets of expenditures and to what degree. The low level of GDPR compliance suggests that a workable equation of data protection is still not clear for most firms.

Titel2019 12th CMI Conference on Cybersecurity and Privacy (CMI)
Antal sider6
Publikationsdato20 jan. 2020
ISBN (Trykt)978-1-7281-2857-3
ISBN (Elektronisk)978-1-7281-2856-6
StatusUdgivet - 20 jan. 2020
Begivenhed2019 12th CMI Conference on Cybersecurity and Privacy (CMI) - Copenhagen, Danmark
Varighed: 28 nov. 201929 nov. 2019


Konference2019 12th CMI Conference on Cybersecurity and Privacy (CMI)


Dyk ned i forskningsemnerne om 'A Social Economic Analysis of the Impact of GDPR on Security and Privacy Practices'. Sammen danner de et unikt fingeraftryk.