Sean Sirur,Jason R. C. Nurse,Helena Webb,Jason R.C. Nurse

DOI: https://doi.org/10.48550/arXiv.1808.07338

2018-08-22

Computers and Society

Abstract:The EU General Data Protection Regulation (GDPR), enforced from 25th May 2018, aims to reform how organisations view and control the personal data of private EU citizens. The scope of GDPR is somewhat unprecedented: it regulates every aspect of personal data handling, includes hefty potential penalties for non-compliance, and can prosecute any company in the world that processes EU citizens' data. In this paper, we look behind the scenes to investigate the real challenges faced by organisations in engaging with the GDPR. This considers issues in working with the regulation, the implementation process, and how compliance is verified. Our research approach relies on literature but, more importantly, draws on detailed interviews with several organisations. Key findings include the fact that large organisations generally found GDPR compliance to be reasonable and doable. The same was found for small-to-medium organisations (SMEs/SMBs) that were highly security-oriented. SMEs with less focus on data protection struggled to make what they felt was a satisfactory attempt at compliance. The main issues faced in their compliance attempts emerged from: the sheer breadth of the regulation; questions around how to enact the qualitative recommendations of the regulation; and the need to map out the entirety of their complex data networks.

Chris Jay Hoofnagle,Bart van der Sloot,Frederik Zuiderveen Borgesius

DOI: https://doi.org/10.1080/13600834.2019.1573501

2019-01-02

Abstract:This paper introduces the strategic approach to regulating personal data and the normative foundations of the European Union’s General Data Protection Regulation (‘GDPR’). We explain the genesis of the GDPR, which is best understood as an extension and refinement of existing requirements imposed by the 1995 Data Protection Directive; describe the GDPR’s approach and provisions; and make predictions about the GDPR’s implications. We also highlight where the GDPR takes a different approach than U.S. privacy law. The GDPR is the most consequential regulatory development in information policy in a generation. The GDPR brings personal data into a detailed regulatory regime, that will influence personal data usage worldwide. Understood properly, the GDPR encourages firms to develop information governance frameworks, to in-house data use, and to keep humans in the loop in decision making. Companies with direct relationships with consumers have strategic advantages under the GDPR, compared to third party advertising firms on the internet. To reach these objectives, the GDPR uses big sticks, structural elements that make proving violations easier, but only a few carrots. The GDPR will complicate and restrain some information-intensive business models. But the GDPR will also enable approaches previously impossible under less-protective approaches.

Victoria Chico

DOI: https://doi.org/10.1093/bmb/ldy038

2018-11-17

British Medical Bulletin

Abstract:Background: On the May 25, 2018 the General Data Protection Regulation (hereafter the GDPR or the Regulation) came into force, replacing the Data Protection Directive 95/46/EC (upon which the Data Protection Act 1998 is based), and imposing new responsibilities on organizations which process the data of European Union citizens.Sources of data: This piece examines the impact of the Regulation on health research.Areas of agreement: The Regulation seeks to harmonize data privacy laws across Europe, to protect and empower all EU citizen's data privacy and to reshape the way that organizations approach data privacy (See the GDPR portal at: https://www.eugdpr.org/ (accessed 8 May 2018). As a Regulation the GDPR is directly applicable in all member states as opposed to a directive which requires national implementing measures (In the UK the Data Protection Act 1998 was the implementing legislation for the Data Protection Directive 95/46/EC.).Areas of controversy: The Regulation is sector wide, but its impact on organizations us sector specific. In some sectors, the Regulation inhibits the processing of personal data, whilst in others it enables that processing. The Regulation takes the position that the 'processing of data should be designed to serve mankind' (Recital 4). Whilst it does not spell out what exactly is meant by this, it indicates that a proportionate approach will be taken to the protection of personal data, where that data can be processed for common goods such as healthcare. Thus, the protection of personal data is not absolute, but considered in relation to its function in society and balance with other fundamental rights in accordance with the principle of proportionality (Recital 4). Differing interpretations of proportionality can detract from the harmonization objective of the Regulation.Growing points: Reflecting the commitment to proportionality, scientific research holds a privileged position in the Regulation. Throughout the Regulation provision is made for organizations that process personal data for scientific research purposes to avoid restrictive measures which might impede the increase of knowledge. However, the application of the Regulation differs across health research sectors and across jurisdictions. Transparency and engagement across the health research sector is required to promote alignment.Areas timely for developing research: Research which focuses on the particular problems which arise in the context of the regulation's application to health research would be welcome. Particularly in the context of the operation of the Regulation alongside the duty of confidentiality and the variation in approaches across Member States.

medicine, general & internal

Gauthier Chassang

DOI: https://doi.org/10.3332/ecancer.2017.709

2017-01-03

ecancermedicalscience

Abstract:The use of personal data is critical to ensure quality and reliability in scientific research. The new Regulation [European Union (EU)] 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data [general data protection regulation (GDPR)], repealing Directive 95/46/EC, strengthens and harmonises the rules for protecting individuals' privacy rights and freedoms within and, under certain conditions, outside the EU territory. This new and historic legal milestone both prolongs and updates the EU acquis of the previous Data Protection Directive 95/46/EC. The GDPR fixes both general rules applying to any kind of personal data processing and specific rules applying to the processing of special categories of personal data such as health data taking place in the context of scientific research, this including clinical and translational research areas. This article aims to provide an overview of the new rules to consider where scientific projects include the processing of personal health data, genetic data or biometric data and other kinds of sensitive information whose use is strictly regulated by the GDPR in order to give the main key facts to researchers to adapt their practices and ensure compliance to the EU law to be enforced in May 2018.

Rebecca R. Lee,Janet E. McDonagh,Albert Farre,Sarah Peters,Lis Cordingley,Tim Rapley

DOI: https://doi.org/10.1111/1467-9566.13408

2021-11-23

Abstract:With the most recent developments to the European General Data Protection Regulations (GDPR) introduced in May 2018, the resulting legislation meant a new set of considerations for study approvers and health-care researchers. Compared with previous legislation in the UK (The Data Protection Act, 1998), it introduced more extensive and directive principles, requiring anybody 'processing' personal data to specifically define how this data will be obtained, stored, used and destroyed. Importantly, it also emphasised the principle of accountability, which meant that data controllers and processors could no longer just state that they planned to adhere to lawful data protection principles, they also had to demonstrate compliance. New questions and concerns around accountability now appear to have increased levels of scrutiny in all areas of information governance (IG), especially with regards to processing confidential patient information. This article explores our experiences of gaining required ethical and regulatory approvals for an ethnographic study in a UK health-care setting, the implications that the common law duty of confidentiality had for this research, and the ways in which IG challenges were overcome. The purpose of this article was to equip researchers embarking on similar projects to be able to navigate the potentially problematic and complex journey to approval.

public, environmental & occupational health,social sciences, biomedical,sociology

Sanchit Alekh

DOI: https://doi.org/10.48550/arXiv.1806.03253

2018-06-01

Computers and Society

Abstract:The GDPR, or the Datenschutz Grundverordnung (DSGVO) in German, is an EU Law which addresses the subject of safeguarding privacy of personal data of the citizens of the EU and EEA. It also specifies how data the collected data might be transported out of the EU/EEA. It is the first genuine effort to unify the plethora of disparate privacy regulations put forward by different regulatory bodies. The GDPR aims to not only give more control over their personal data to the citizens, but also make conformance for businesses easier by defining unified guidelines. It also presses businesses, especially those dealing with sensitive personal data, to build their information systems in a way that confirms with Privacy by Design. These regulations aim to ensure a more transparent handling and processing of personal data, and create an environment of trust and awareness on both sides, i.e., the data owner as well as the controllers/processors.

Mahsa Shabani,Pascal Borry

DOI: https://doi.org/10.1038/s41431-017-0045-7

2017-11-29

European Journal of Human Genetics

Abstract:Genetic data contain sensitive health and non-health-related information about the individuals and their family members. Therefore, adopting adequate privacy safeguards is paramount when processing genetic data for research or clinical purposes. One of the major legal instruments for personal data protection in the EU is the new General Data Protection Regulation (GDPR), which has entered into force in May 2016 and repealed the Directive 95/46/EC, with an ultimate goal of enhancing effectiveness and harmonization of personal data protection in the EU. This paper explores the major provisions of the new Regulation with regard to processing genetic data, and assesses the influence of such provisions on reinforcing the legal safeguards when sharing genetic data for research purposes. The new Regulation attempts to elucidate the scope of personal data, by recognizing pseudonymized data as personal (identifiable) data, and including genetic data in the catalog of special categories of data (sensitive data). Moreover, a set of new rules is laid out in the Regulation for processing personal data under the scientific research exemption. For instance, further use of genetic data for scientific research purposes, without obtaining additional consent will be allowed, if the specific conditions is met. The new Regulation has already fueled concerns among various stakeholders, owing to the challenges that may emerge when implementing the Regulation across the countries. Notably, the provided definition for pseudonymized data has been criticized because it leaves too much room for interpretations, and it might undermine the harmonization of the data protection across the countries.

genetics & heredity,biochemistry & molecular biology

Steve Wilkinson

DOI: https://doi.org/10.69554/yvow7196

2023-01-01

Abstract:It has been more than four years since the EU General Data Protection Regulation (GDPR) was applied to the UK, as supplemented by the Data Protection Act (DPA) 2018.1 Since then, the UK has left the EU. Having reflected on the advantages and disadvantages of the current framework, the government identified and consulted on several areas where it considered improvements could be made that would benefit those who process personal data while retaining high data protection standards. Any revised legislation may have impacts on the UK's adequacy as well as trading abilities throughout the EU. This article will review the current status of the bill together with a review relating to the impact of the proposed legislation within the UK.

Fatemeh Zarrabi,Isabel Wagner,Eerke Boiten

2023-04-24

Abstract:Based on Article 35 of the EU (European Union) General Data Protection Regulation, a Data Protection Impact Assessment (DPIA) is necessary whenever there is a possibility of a high privacy and data protection risk to individuals caused by a new project under development. A similar process to DPIA had been previously known as Privacy Impact Assessment (PIA). We are investigating here to find out if GDPR and DPIA specifically as its privacy risk assessment tool have resolved the challenges privacy practitioners were previously facing in implementing PIA. To do so, our methodology is based on comparison and thematic analysis on two sets of focus groups we held with privacy professionals back in January 2018 (four months before GDPR came into effect) and then in November 2019 (18 months after GDPR implementation).

Cryptography and Security

Isabel Maria Lopes,Teresa Guarda,Pedro Oliveira

DOI: https://doi.org/10.1007/s10916-020-1521-0

IF: 4.92

2020-01-10

Journal of Medical Systems

Abstract:The focus on personal data has merited the EU concerns and attention, resulting in the legislative change regarding privacy and the protection of personal data. The General Data Protection Regulation (GDPR) aims to reform existing measures on the protection of personal data of European Union citizens, with a strong impact on the rights and freedoms of individuals in establishing rules for the processing of personal data. The GDPR considers a special category of personal data, the health data, being these considered as sensitive data and subject to special conditions regarding treatment and access by third parties. This work presents the evolution of the applicability of the Regulation (EU) 2016/679 six months after its application in Portuguese health clinics. The results of the present study are discussed in the light of future literature and work are identified.

health care sciences & services,medical informatics

Travis Greene,Galit Shmueli,Soumya Ray,Jan Fell

DOI: https://doi.org/10.1089/big.2018.0176

IF: 4.426

Big Data

Abstract:Rapid growth in the availability of behavioral big data (BBD) has outpaced the speed of updates to ethical research codes and regulation of data privacy and human subjects' data collection, storage, and use. The introduction of the European Union's (EU's) General Data Protection Regulation (GDPR) in May 2018 will have far-reaching effects on data scientists and researchers who use BBD, not only in the EU, but around the world. Consequently, many companies are struggling to comply with the Regulation. At the same time, academics interested in research collaborations with companies are finding it more difficult to obtain data. In light of the importance of BBD in both industry and academia, data scientists and behavioral researchers would benefit from a deeper understanding of the GDPR's key concepts, definitions, and principles, especially as they apply to the data science workflow. We identify key GDPR concepts and principles and describe how they can impact the work of data scientists and researchers in this new data privacy regulation era.

John KC Kingston

DOI: https://doi.org/10.48550/arXiv.1809.05762

IF: 14.4

2018-09-15

Artificial Intelligence

Abstract:The General Data Protection Regulation (GDPR) is a European Union regulation that will replace the existing Data Protection Directive on 25 May 2018. The most significant change is a huge increase in the maximum fine that can be levied for breaches of the regulation. Yet fewer than half of UK companies are fully aware of GDPR - and a number of those who were preparing for it stopped doing so when the Brexit vote was announced. A last-minute rush to become compliant is therefore expected, and numerous companies are starting to offer advice, checklists and consultancy on how to comply with GDPR. In such an environment, artificial intelligence technologies ought to be able to assist by providing best advice; asking all and only the relevant questions; monitoring activities; and carrying out assessments. The paper considers four areas of GDPR compliance where rule based technologies and/or machine learning techniques may be relevant: * Following compliance checklists and codes of conduct; * Supporting risk assessments; * Complying with the new regulations regarding technologies that perform automatic profiling; * Complying with the new regulations concerning recognising and reporting breaches of security. It concludes that AI technology can support each of these four areas. The requirements that GDPR (or organisations that need to comply with GDPR) state for explanation and justification of reasoning imply that rule-based approaches are likely to be more helpful than machine learning approaches. However, there may be good business reasons to take a different approach in some circumstances.

John Mark Michael Rumbold,Barbara Pierscionek

DOI: https://doi.org/10.2196/jmir.7108

IF: 7.076

2017-02-24

Journal of Medical Internet Research

Abstract:BACKGROUND: The enactment of the General Data Protection Regulation (GDPR) will impact on European data science. Particular concerns relating to consent requirements that would severely restrict medical data research have been raised.OBJECTIVE: Our objective is to explain the changes in data protection laws that apply to medical research and to discuss their potential impact.METHODS: Analysis of ethicolegal requirements imposed by the GDPR.RESULTS: The GDPR makes the classification of pseudonymised data as personal data clearer, although it has not been entirely resolved. Biomedical research on personal data where consent has not been obtained must be of substantial public interest.CONCLUSIONS: The GDPR introduces protections for data subjects that aim for consistency across the EU. The proposed changes will make little impact on biomedical data research.

health care sciences & services,medical informatics

DOI: https://doi.org/10.1007/978-94-007-5170-5

2013-01-01

Abstract:On 25 January 2012, the European Commission presented its long awaited new “Data protection package”. With this proposal for a drastic revision of the data protection framework in Europe, it is fair to say that we are witnessing a rebirth of European data protection, and perhaps, its passage from an impulsive youth to a more mature state. Technology advances rapidly and mobile devices are significantly changing the landscape. Increasingly, we carry powerful, connected, devices, whose location and activities can be monitored by various stakeholders. Very powerful social network sites emerged in the first half of last decade, processing personal data of many millions of users.  Updating the regulatory framework was imminent and the presentation of the new package will initiate a period of intense debate in which the proposals will be thoroughly commented upon and criticized, and numerous amendments will undoubtedly be proposed.   This volume brings together some 19 chapters offering conceptual analyses, highlighting issues, proposing solutions, and discussing practices regarding privacy and data protection. In the first part of the book, conceptual analyses of concepts such as privacy and anonymity are provided. The second section focuses on the contrasted positions of digital natives and ageing users in the information society. The third section provides four chapters on privacy by design, including discussions on roadmapping and concrete techniques. The fourth section is devoted to surveillance and profiling, with illustrations from the domain of smart metering, self-surveillance and the benefits and risks of profiling. The book concludes with case studies pertaining to communicating privacy in organisations, the fate of a data protection supervisor in one of the EU member states and data protection in social network sites and online media.

Antonia Vlahou,Dara Hallinan,Rolf Apweiler,Angel Argiles,Joachim Beige,Ariela Benigni,Rainer Bischoff,Peter C Black,Franziska Boehm,Jocelyn Céraline,George P Chrousos,Christian Delles,Pieter Evenepoel,Ivo Fridolin,Griet Glorieux,Alain J van Gool,Isabel Heidegger,John P A Ioannidis,Joachim Jankowski,Vera Jankowski,Carmen Jeronimo,Ashish M Kamat,Rosalinde Masereeuw,Gert Mayer,Harald Mischak,Alberto Ortiz,Giuseppe Remuzzi,Peter Rossing,Joost P Schanstra,Bernd J Schmitz-Dräger,Goce Spasovski,Jan A Staessen,Dimitrios Stamatialis,Peter Stenvinkel,Christoph Wanner,Stephen B Williams,Faiez Zannad,Carmine Zoccali,Raymond Vanholder

DOI: https://doi.org/10.1161/HYPERTENSIONAHA.120.16340

IF: 9.8968

Hypertension

Abstract:The General Data Protection Regulation (GDPR) became binding law in the European Union Member States in 2018, as a step toward harmonizing personal data protection legislation in the European Union. The Regulation governs almost all types of personal data processing, hence, also, those pertaining to biomedical research. The purpose of this article is to highlight the main practical issues related to data and biological sample sharing that biomedical researchers face regularly, and to specify how these are addressed in the context of GDPR, after consulting with ethics/legal experts. We identify areas in which clarifications of the GDPR are needed, particularly those related to consent requirements by study participants. Amendments should target the following: (1) restricting exceptions based on national laws and increasing harmonization, (2) confirming the concept of broad consent, and (3) defining a roadmap for secondary use of data. These changes will be achieved by acknowledged learned societies in the field taking the lead in preparing a document giving guidance for the optimal interpretation of the GDPR, which will be finalized following a period of commenting by a broad multistakeholder audience. In parallel, promoting engagement and education of the public in the relevant issues (such as different consent types or residual risk for re-identification), on both local/national and international levels, is considered critical for advancement. We hope that this article will open this broad discussion involving all major stakeholders, toward optimizing the GDPR and allowing a harmonized transnational research approach.

Alex Bowyer,Jack Holt,Josephine Go Jefferies,Rob Wilson,David Kirk,Jan David Smeddinck

DOI: https://doi.org/10.1145/3491102.3501947

2022-03-10

Abstract:In our data-centric world, most services rely on collecting and using personal data. The EU's General Data Protection Regulation (GDPR) aims to enhance individuals' control over their data, but its practical impact is not well understood. We present a 10-participant study, where each participant filed 4-5 data access requests. Through interviews accompanying these requests and discussions scrutinising returned data, it appears that GDPR falls short of its goals due to non-compliance and low-quality responses. Participants found their hopes to understand providers' data practices or harness their own data unmet. This causes increased distrust without any subjective improvement in power, although more transparent providers do earn greater trust. We propose designing more effective, data-inclusive and open policies and data access systems to improve both customer relations and individual agency, and also that wider public use of GDPR rights could help with delivering accountability and motivating providers to improve data practices.

Human-Computer Interaction

Alexander Bernier,Fruzsina Molnár-Gábor,Bartha M Knoppers,Pascal Borry,Priscilla M D G Cesar,Thijs Devriendt,Melanie Goisauf,Madeleine Murtagh,Pilar Nicolás Jiménez,Mikel Recuero,Emmanuelle Rial-Sebbag,Mahsa Shabani,Rebecca C Wilson,Davide Zaccagnini,Lauren Maxwell

DOI: https://doi.org/10.1038/s41431-023-01403-y

Abstract:The coming-into-force of the EU General Data Protection Regulation (GDPR) is a watershed moment in the legal recognition of enforceable rights to informational self-determination. The rapid evolution of legal requirements applicable to data use, however, has the potential to outstrip the capabilities of networks of biomedical data users to respond to the shifting norms. It can also delegitimate established institutional bodies that are responsible for assessing and authorising the downstream use of data, including research ethics committees and institutional data custodians. These burdens are especially pronounced for clinical and research networks that are of transnational scale, because the legal compliance burden for outbound international data transfers from the EEA is especially high. Legislatures, courts, and regulators in the EU should therefore implement the following three legal changes. First, the responsibilities of particular actors in a data sharing network should be delimited through the contractual allocation of responsibilities between collaborators. Second, the use of data through secure data processing environments should not trigger the international transfer provisions of the GDPR. Third, the use of federated data analysis methodologies that do not provide analysis nodes or downstream users access to identifiable personal data as part of the outputs of those analyses should not be considered circumstances of joint controllership, nor lead to the users of non-identifiable data to be considered controllers or processors. These small clarifications of, or modifications to, the GDPR would facilitate the exchange of biomedical data amongst clinicians and researchers.

Seun Solomon Bakare,Adekunle Oyeyemi Adeniyi,Chidiogo Uzoamaka Akpuokwe,Nkechi Emmanuella Eneh

DOI: https://doi.org/10.51594/csitrj.v5i3.859

2024-03-09

Computer Science & IT Research Journal

Abstract:This Review provides an overview of the comparative review of data privacy laws and compliance, focusing on the European Union's General Data Protection Regulation (EU GDPR) and data protection regulations in the United States. The analysis explores key similarities and differences, emphasizing their implications for businesses and individuals. The EU GDPR, implemented in 2018, stands as a landmark regulation governing data protection and privacy for individuals within the European Union and the European Economic Area. In contrast, the United States lacks a comprehensive federal data privacy law. Instead, it relies on a patchwork of sector-specific laws and state regulations, such as the California Consumer Privacy Act (CCPA) and the Health Insurance Portability and Accountability Act (HIPAA). One major distinction lies in the overarching principles of these regulations. The EU GDPR adopts a comprehensive and rights-based approach, emphasizing individual rights to privacy, data portability, and the "right to be forgotten." In contrast, the U.S. system often focuses on specific industries or types of data, leading to a more fragmented regulatory landscape. Both regulatory frameworks incorporate principles of transparency, consent, and data breach notification. However, differences in enforcement mechanisms and penalties exist. The EU GDPR imposes significant fines for non-compliance, reaching up to 4% of a company's global annual revenue. In the U.S., penalties vary by state, and enforcement is often reactive, triggered by data breaches. Businesses operating globally must navigate these distinct regulatory landscapes, necessitating a nuanced approach to data privacy compliance. Multinational corporations must adhere to the more stringent requirements when handling EU citizens' data while also considering the diverse regulations within the U.S. This review underscores the ongoing evolution of data privacy laws worldwide and the critical importance for organizations to stay abreast of these developments. It emphasizes the need for a proactive and adaptive approach to data privacy compliance, taking into account the unique requirements and expectations of both the EU GDPR and U.S. regulations. Keywords: Data Privacy, Laws, Compliance, EU GDPR, Regulations.

Gerard Buckley,Tristan Caulfield,Ingolf Becker

DOI: https://doi.org/10.48550/arXiv.2110.11905

2021-10-22

Computers and Society

Abstract:The General Data Protection Regulation (GDPR) came into effect in May 2018 and is designed to safeguard EU citizens' data privacy. The benefits of the regulation to consumers' rights and to regulators' powers are well known. The benefits to regulated businesses are less obvious and under-researched. The aim of this study is to investigate if GDPR is all pain and no gain for business. Using semi-structured interviews, we survey 14 C-level executives responsible for business, finance, marketing, legal and technology drawn from six small, medium and large companies in the UK and Ireland. We find the threat of fines has focused the corporate mind and made business more privacy aware. Organisationally, it has created new power bases within companies to advocate GDPR. It has forced companies, in varying degrees, to modernise their platforms and indirectly benefited them with better risk management processes, information security infrastructure and up to date customer databases. Compliance, for some, is used as a reputational signal of trustworthiness. We find many implementation challenges remain. New business development and intra-company communication is more constrained. Regulation has increased costs and internal bureaucracy. Grey areas remain due to a lack of case law. Disgruntled customers and ex-employees weaponise Subject Access Requests (SAR) as a tool of retaliation. Small businesses see GDPR as overkill and overwhelming. We conclude GDPR may be regarded as a pain by business but it has made it more careful with data. We recommend the EU consider tailoring a version of the regulation that is better suited to SMEs and modifying the messaging to be more positive whilst still exploiting news of fines to reinforce corporate data discipline.

Bocong Yuan,Jiannan Li

DOI: https://doi.org/10.3390/ijerph16061070

IF: 4.614

2019-03-25

International Journal of Environmental Research and Public Health

Abstract:The rapid development of digital health poses a critical challenge to the personal health data protection of patients. The European Union General Data Protection Regulation (EU GDPR) works in this context; it was passed in April 2016 and came into force in May 2018 across the European Union. This study is the first attempt to test the effectiveness of this legal reform for personal health data protection. Using the difference-in-difference (DID) approach, this study empirically examines the policy influence of the GDPR on the financial performance of hospitals across the European Union. Results show that hospitals with the digital health service suffered from financial distress after the GDPR was published in 2016. This reveals that during the transition period (2016–2018), hospitals across the European Union indeed made costly adjustments to meet the requirements of personal health data protection introduced by this new regulation, and thus inevitably suffered a policy shock to their financial performance in the short term. The implementation of GDPR may have achieved preliminary success.

public, environmental & occupational health,environmental sciences