Skip to main content
RISE logo

Have companies been interpreting GDPR too strictly?

Ever since GDPR entered into force in May 2018, surfing the internet has involved even more pop-up notices and constant approvals. Some services, too, such as telephone directories, have lost many of their functions. We’ve even seen examples of school photography sessions being cancelled with reference to GDPR. In all likelihood, this wasn’t the intention of legislators. We leave ourselves asking, if all of these measures are actually necessary?

“We’ve noticed many examples of how things have become out of balance, with organisations opting for a stricter interpretation than what GDPR ever intended, ending in a solution that is suboptimal for everyone involved,” says Håkan Cavenius, Project Manager for the Vinnova-funded project, Sjyst Data!.

It is a project that has been ongoing since 2017 to investigate how both companies and end users have adapted to, and been impacted by, GDPR along with understanding the intentions of the legislation and how to best implement it.

Misunderstandings and errors

Data collection takes place essentially everywhere and at all times. Large quantities of high-quality data are also fundamental to competitiveness, achievement and innovation in many areas. Increasingly higher requirements on security and privacy are also necessary with the ever-increasing amount of data being processed. If organisations lack the structures and expertise required, there is a risk that the protection they offer will be inadequate. But Håkan Cavenius has noticed that the opposite can also be true, with companies and authorities refraining from developing new, improved services due to constraints they have interpreted from the legislation.

“We’ve noticed that the misconceptions abound as to what is actually required by GDPR. One, for example, is that it is entirely forbidden to process the personal data or that consent is always the most appropriate basis for collection. There is a risk that such strict interpretation throws a wrench into the gears of innovation in our data-driven society. The legislation was certainly not intended to make digital services less efficient. Quite the contrary. Better data protection is aimed at better safety, security and functionality,” he says.


Det finns alltjämt ett stort behov av kunskap och ett intresse för frågor rörande GDPR

Users tend to be critical of data collection

When asked, users tend to be critical of data collection, particularly when it is collected for commercial purposes. It’s a dilemma, because there is enormous potential for developing new, improved services based on user-generated data. Håkan Cavenius also believes that a possible solution is for companies to increase their level of transparency. He also thinks that data protection and GDPR need to be integrated into the design phase of a service. Doing so would increase user confidence.

“One of the projects we’ve looked as is called Legal Design. It has incorporated legal aspects in a more customer-oriented way, right from the earliest phases of designing a service. This can ensure that data protection becomes better integrated into services than what we see today. Over time, it can help increase user confidence and enhance the competitiveness of serious service suppliers,” he says.

Possible ways forward

The project has involved investigating possibilities for creating a certification process that companies could use, whereby adherence to guidelines and routines would allow them to put a quality stamp or mark on the service they offer. It would also help guide consumers in their selection of digital services. Efforts have also been focused on looking for other ways to develop the project and get more participants involved, e.g. via a data protection lab.

“Even though many companies and organisations have felt like the implementation of GDPR has been a torturous process, there is nevertheless a huge need for knowledge and interest in issues having to do with GDPR and data protection. These matters will continue to be of great importance to societal development as well. We also still need clearer guidelines and better support for companies. They, in turn, need to become more transparent on how they collect data,” says Håkan Cavenius.


Håkan Cavenius

Contact person

Håkan Cavenius

Forskare

+46 10 228 41 88
hakan.cavenius@ri.se

Read more about Håkan