The aim of this chapter is to take readers beyond the prescriptions of the law to present them with a practical perspective on what happens when organizations try to protect personal data. This is based on the acknowledgement that different sectors of society will have different concerns when it comes to the protection of personal data and privacy. The various conceptions of privacy connect a wide variety of academic disciplines, from anthropology to urban planning. We need to understand that there are many different perspectives on what privacy signifies, and hence, that there are many different considerations regarding what to do to protect it.
TopIntroduction
Several articles of the General Data Protection Regulation (GDPR) suggest a need for insights beyond the traditional legal skill set. For example, data protection officers and supervisory authorities are required to raise data protection awareness within organizations and the general public (articles 39(1) and 57(1)), and stakeholder consultations are advised for both data protection impact assessments and codes of conduct (article 35(9) and recital 99). In these and other instances, the GDPR calls for an interdisciplinary effort to support personal data protection in the practical reality of organizations.
Interdisciplinarity is attended to in other ways in the GDPR, when it comes to acknowledging that different sectors of society will have specific concerns when it comes to the protection of personal data and privacy (e.g. in article 40(1)). Banks, for instance, have a centuries-long history in protecting secrecy and ensuring the security of personal information, while medical practitioners have been attentive to the intricacies of confidentiality and informed consent for millennia. Not only can this lead to sector-specific codes of conduct or collaboration, it can also promote inter-sectoral knowledge-sharing.
As Kagan et al (2003) point out, “regulation might be viewed less as a system of hierarchically imposed, uniformly enforced rules than as a coordinative mechanism, routinely interacting with other sources of pressure […] such as markets, local and national environmental activists, and the culture of corporate management.” In the same way, the GDPR can be viewed as a coordinative mechanism that interacts with other factors to constitute the protection of personal data in practice. Insight into this ‘bigger picture’, a comprehensive view of factors influencing practical data protection, can be indispensable to lawmakers, policy makers, supervisory authorities, data protection officers and other stakeholders. Obtaining such insight is the third reason interdisciplinarity matters to data protection practices, as we will argue below: many academic disciplines have in fact paid attention to what happens in practice to protect personal data and we cannot overlook such findings.
The aim of this chapter is to take readers beyond the prescriptions of the GDPR to present an initial attempt at a framework that can provide a holistic perspective on what happens when organizations try to protect personal data. The question that is addressed is: How to go about constructing an interdisciplinary framework for the study of factors that influence personal data protection in practice?
The GDPR may be the ‘most sweeping’ trans-national legislation protecting personal data (Roberts, 2018), but it is certainly not the only influence on the way commercial, public, and civil society organizations handle informational privacy. As the 'information society' evolved to the ‘platform society’ (Van Dijck et al., 2018) and societal interest in the protection of personal data increased, researchers from various academic disciplines investigated what happens when different kinds of organizations are confronted with new data governance demands. To give a few examples:
- •
Privacy economists have studied how internet users' perceptions of online data protection influence their behavior and how organizations can manipulate those perceptions (Acquisti & Grossklags, 2015).
- •
Psychologists have studied how employee training influences compliance with information security policies (Parsons et al, 2014).
- •
Scholars in media and communication studies and in management have studied how massive personal data-gathering gave rise to business models in which the audience and predictions of their behavior became the product (Van Dijck, 2013; Zuboff, 2019).
Several related terms have come up above: secrecy, confidentiality, informational privacy, personal data protection, information security. Some disambiguation therefore seems to be in order. We will briefly go into distinguishing the concepts of privacy protection and personal data protection, because within the European legal context the right to privacy is set apart from the right to the protection of personal data.