A Social Economic Analysis of the Impact of GDPR on Security and Privacy Practices

Roslyn Mae Layton, Silvia Elaluf-Calderwood

Research output: Contribution to book/anthology/report/conference proceedingArticle in proceedingResearchpeer-review

Abstract

The General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have been presented by many policymakers as fundamental, welfare enhancing policies. While individuals value privacy, these policies require significant up front and ongoing investment by firms. For example, an analysis commissioned by the California Department of Justice's Office of the Attorney General estimates 14:1 cost to benefit ratio. No such analysis could be found from EU authorities for the GDPR. Sweeping regulatory regimes can create unintended consequences. This paper offers a brief introduction to the new cybersecurity challenges created by the GDPR and CCPA within firms and in the larger Internet ecosystem. As a result of the regulation, firms face many challenges to comply with costly and complex rules, broad definitions of personally identifiable information (PII), and increased risk of fee and/or lawsuit for violations, vulnerabilities, and lack of compliance. Since the promulgation of the GDPR, important security side effects have reported including the blocking of public information in the WHOIS internet protocol database, identity theft through the hacking of the Right to Access provision (Article 15) and other provisions, and the proliferation of network equipment with security and privacy vulnerabilities. The paper also offers a brief overview of the Gordon-Loeb (GL) model used for calculating the optimal investment in cybersecurity. [1] A preliminary data set is offered to examine the difficulty of estimating the cost of cybersecurity investment in light of the GDPR. Notably, the value of the European Union's data economy was estimated to be €300 billion in 2016 [2]. The given GL model would suggest that the optimal investment to protect data would be €13.2 billion. The actual European cyber spend was some €15 billion in 2015, [3] a slightly higher number which covers the EU plus additional European countries, suggesting that the GL model some applicability. There are limited GL type models and tools to guide data protection or privacy investments, and given the emergence of new data protection expectations, it is worth investigating how and whether firms can deliver both sets of expenditures and to what degree. The low level of GDPR compliance suggests that a workable equation of data protection is still not clear for most firms.

Original languageEnglish
Title of host publication2019 12th CMI Conference on Cybersecurity and Privacy (CMI)
Number of pages6
PublisherIEEE
Publication date20 Jan 2020
Article number8962288
ISBN (Print)978-1-7281-2857-3
ISBN (Electronic)978-1-7281-2856-6
DOIs
Publication statusPublished - 20 Jan 2020
Event2019 12th CMI Conference on Cybersecurity and Privacy (CMI) - Copenhagen, Denmark
Duration: 28 Nov 201929 Nov 2019

Conference

Conference2019 12th CMI Conference on Cybersecurity and Privacy (CMI)
CountryDenmark
CityCopenhagen
Period28/11/201929/11/2019

Keywords

  • CCPA
  • GDPR
  • Huawei
  • Identity Theft
  • WHOIS
  • cybersecurity
  • privacy
  • security

Fingerprint Dive into the research topics of 'A Social Economic Analysis of the Impact of GDPR on Security and Privacy Practices'. Together they form a unique fingerprint.

  • Cite this

    Layton, R. M., & Elaluf-Calderwood, S. (2020). A Social Economic Analysis of the Impact of GDPR on Security and Privacy Practices. In 2019 12th CMI Conference on Cybersecurity and Privacy (CMI) [8962288] IEEE. https://doi.org/10.1109/CMI48017.2019.8962288