Skip to main content

Are we there yet? Understanding the challenges faced in complying with the General Data Protection Regulation (GDPR)

Sirur, Sean, Nurse, Jason R. C., Webb, Helena (2018) Are we there yet? Understanding the challenges faced in complying with the General Data Protection Regulation (GDPR). In: International Workshop on Multimedia Privacy and Security (MPS) at the 25th ACM Conference on Computer and Communications Security (CCS). CCS Computer and Communications Security . pp. 88-95. ACM, New York, USA ISBN 978-1-4503-5988-7. (doi:10.1145/3267357.3267368) (KAR id:68765)

PDF Author's Accepted Manuscript
Language: English
Download (174kB) Preview
[thumbnail of 2018-CCS-MPS-snw-author-final.pdf]
This file may not be suitable for users of assistive technology.
Request an accessible format
Official URL


The EU General Data Protection Regulation (GDPR), enforced from 25th May 2018, aims to reform how organisations view and control the personal data of private EU citizens. The scope of GDPR is somewhat unprecedented: it regulates every aspect of personal data handling, includes hefty potential penalties for non-compliance, and can prosecute any company in the world that processes EU citizens' data. In this paper, we look behind the scenes to investigate the real challenges faced by organisations in engaging with the GDPR. This considers issues in working with the regulation, the implementation process, and how compliance is verified. Our research approach relies on literature but, more importantly, draws on detailed interviews with several organisations. Key findings include the fact that large organisations generally found GDPR compliance to be reasonable and doable. The same was found for small-to-medium organisations (SMEs/SMBs) that were highly security-oriented. SMEs with less focus on data protection struggled to make what they felt was a satisfactory attempt at compliance. The main issues faced in their compliance attempts emerged from: the sheer breadth of the regulation; questions around how to enact the qualitative recommendations of the regulation; and the need to map out the entirety of their complex data networks.

Item Type: Conference or workshop item (Paper)
DOI/Identification number: 10.1145/3267357.3267368
Uncontrolled keywords: Data protection, regulations, GDPR, privacy, compliance, cyber security, multimedia, business, SMEs/SMBs
Subjects: H Social Sciences > H Social Sciences (General)
K Law > K Law (General)
Q Science > QA Mathematics (inc Computing science) > QA 75 Electronic computers. Computer science
Q Science > QA Mathematics (inc Computing science) > QA 76 Software, computer programming,
Divisions: Divisions > Division of Computing, Engineering and Mathematical Sciences > School of Computing
Divisions > Kent Business School - Division > Kent Business School (do not use)
Divisions > Division for the Study of Law, Society and Social Justice > Kent Law School
Depositing User: Jason Nurse
Date Deposited: 22 Aug 2018 11:08 UTC
Last Modified: 16 Feb 2021 13:57 UTC
Resource URI: (The current URI for this page, for reference purposes)
Nurse, Jason R. C.:
  • Depositors only (login required):


Downloads per month over past year