University of Oulu

Christina Tikkinen-Piri, Anna Rohunen, Jouni Markkula, EU General Data Protection Regulation: Changes and implications for personal data collecting companies, Computer Law & Security Review, Volume 34, Issue 1, 2018, Pages 134-153, ISSN 0267-3649,

EU general data protection regulation : changes and implications for personal data collecting companies

Saved in:
Author: Tikkinen-Piri, Christina1; Rohunen, Anna1; Markkula, Jouni1
Organizations: 1University of Oulu, Finland
Format: article
Version: accepted version
Access: open
Online Access: PDF Full Text (PDF, 0.7 MB)
Persistent link:
Language: English
Published: Elsevier, 2018
Publish Date: 2019-06-07


The General Data Protection Regulation (GDPR) will come into force in the European Union (EU) in May 2018 to meet current challenges related to personal data protection and to harmonise data protection across the EU. Although the GDPR is anticipated to benefit companies by offering consistency in data protection activities and liabilities across the EU countries and by enabling more integrated EU-wide data protection policies, it poses new challenges to companies. They are not necessarily prepared for the changes and may lack awareness of the upcoming requirements and the GDPR’s coercive measures. The implementation of the GDPR requirements demands substantial financial and human resources, as well as training of employees; hence, companies need guidance to support them in this transition. The purposes of this study were to compare the current Data Protection Directive 95/46/EC with the GDPR by systematically analysing their differences and to identify the GDPR’s practical implications, specifically for companies that provide services based on personal data. This study aimed to identify and discuss the changes introduced by the GDPR that would have the most practical relevance to these companies and possibly affect their data management and usage practices. Therefore, a review and a thematic analysis and synthesis of the article-level changes were carried out. Through the analysis, the key practical implications of the changes were identified and classified. As a synthesis of the results, a framework was developed, presenting 12 aspects of these implications and the corresponding guidance on how to prepare for the new requirements. These aspects cover business strategies and practices, as well as organisational and technical measures.

see all

Series: Computer law & security review
ISSN: 2212-473X
ISSN-E: 2212-4748
ISSN-L: 2212-473X
Volume: 34
Issue: 1
Pages: 134 - 153
DOI: 10.1016/j.clsr.2017.05.015
Type of Publication: A1 Journal article – refereed
Field of Science: 513 Law
113 Computer and information sciences
Funding: This research was financially supported by the Tauno Tönning Foundation and the Finnish Foundation for Technology Promotion.
Copyright information: © 2018. This manuscript version is made available under the CC-BY-NC-ND 4.0 license