Journal of Multi Business Model Innovation and Technology

Vol: 4    Issue: 3

Published In:   September 2016

GDPR Regulation Impact on Different Business Models and Businesses

Article No: 4    Page: 241-254    doi: https://doi.org/10.13052/jmbmit2245-456X.434    

Read other article:
1 2 3 4

GDPR Regulation Impact on Different Business Models and Businesses

Peter Lindgren

Department of Business Development and Technology, Aarhus University, Herning, 7400, Denmark

E-mail: peterli@btech.au.dk

Received 15 January 2018; Accepted 15 may 2018;
Publication 22 June 2018

Abstract

The new GDPR regulation causes several business economic and customer service challenge to different businesses in different business model ecosystems. The paper address 3 different business case examples out of 11 cases, shows and discuss some of the challenges and business model impacts related to European GDPR regulation. 3 research questions are discussed on behalf of our empirical data collected in the case materials Where will and will the GDPR influence the relations part of BM’s and relations between BM’s? Will GDPR influence the ability for businesses to do OBM and OBMI, which have had much research attention lately? Will the GDPR influence the generic construction of the BM and will the new GDPR influence future incremental and/or radical BMI?

Keywords

  • GDPR
  • Open Business Model Innovation
  • Multi Business Model Innovation

1 Introduction

To introduce the challenge of The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and to be able to discuss the different impacts to businesses and their business models we begin with a short update on the regulations, which we found available in the literature.

GDPR is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The primary objectives of the GDPR are to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU [1]. When the GDPR takes effect, it will replace the data protection directive (officially Directive 95/46/EC) [2] from 1995. The regulation was adopted on 27 April 2016 and will be applied from 25 May 2018 after a two-year transition period and, unlike a directive, it does not require any enabling legislation to be passed by nationalgovernments [3].

The GDPR regulative extends the scope of the EU data protection law to all foreign businesses processing data of EU residents. It provides a harmonization of the data protection regulations throughout the EU, thereby making it easier for non-European businesses to comply with these regulations. However, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 4% of worldwide turnover for businesses [4]. The Parliament’s version contains however increased finesup to 5% [5, 6].

The regulation applies if the data controller (businesses that collects data from EU residents) or processor (businesses that processes data on behalf of data controller e.g. cloud service providers) or the data subject (person) is based in the EU. Furthermore the GDPR also applies to businesses based outside the European Union if they collect or process personal data of EU residents. According to the European Commission “personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. This means that it is both data registred B2C, B2B and G2C. It can more specific be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, behavior or a computer’s IP address” [7].

The notice requirements remain and are expanded. They must include the retention time for personal data and contact information for data controller and data protection officer has to be provided.

Automated individual decision-making, including profiling (Article 22) is made contestable. Citizens now have the right to question and fight decisions that affect them that have been made on a purely algorithmic basis.

In order to be able to demonstrate compliance with the GDPR, the data controller should implement measures, which meet the principles of data protection by design and data protection by default. Privacy by Design and by Default (Article 25) require that data protection measures are designed into the development of business value proposition processes for products, services and processes of product and services [16]. Such measures include pseudonymising personal data, by the controller, as soon as possible (Recital 78).

It is the responsibility and liability of the data controller to implement effective measures and be able to demonstrate the compliance of processing activities even if the processing are carried out by a data processor on behalf of the controller (Recital 74).

Data Protection Impact Assessments (Article 35) have to be conducted when specific risks occur to the rights and freedoms of data subjects. Risk assessment and mitigation is required and prior approval of the Data Protection Authorities (DPA) is required for high risks. Data Protection Officers (Articles 37–39) are to ensure compliance within businesses. They have to be appointed:

  • for all public authorities, except for courts acting in their judicialcapacity;
  • if the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10 [8].

The GDPR refers also to pseudonymisation as a process that transforms personal data in such a way that the resulting data cannot be attributed to a specific data subject without the use of additional information. An example of pseudonymisation is encryption, which renders the original data unintelligible and the process cannot be reversed without access to the right decryption key. The GDPR requires that this additional information (such as the decryption key) be kept separately from the pseudonymised data. Pseudonymisation is recommended to reduce the risks to the concerned data subjects and also help controllers and processors to meet their data-protection obligations(Recital 28).

If the personal data is pseudonymised with adequate internal policies and measures by the data controller, then it is considered to be effectively anonymized, and not subject to controls and penalties of the GDPR. Example measures would include pseudonymizing the data as soon as possible(Recital 78), encrypting the data locally, keeping the decryption keys separately from the encrypted data [9].

The following sanctions can be imposed:

  • a warning in writing in cases of first and non-intentional non-compliance regular periodic data protection audits a fine up to 10,000,000 EUR or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater (Article 83, Paragraph 4 [10]);
  • a fine up to 20,000,000 EUR or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater (Article 83, Paragraph 5 and 6 [10].

A right to be forgotten was replaced by a more limited right to erasure in the version of the GDPR adopted by the European Parliament in March 2014 [11, 12]. Article 17 provides that the data subject has the right to request erasure of personal data related to them on any one of a number of grounds including non-compliance with article 6.1 (lawfulness) that includes a case (f) where the legitimate interests of the controller is overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

The above mentioned GDPR requirements forms new requirement to businesses “AS IS” (already operative BM’s) and “TO BE” BM’s (BM’s under innovation) and was implemented by 1st of June 2018.

2 Business and Business Models

To discuss the impact of GDPR on Business economically requires an answer to the question – what is a business and what is a business model.

Today, the term ‘business model’ is everyday and everybody’s language in business, and of business model academia’s. Even national governments, EU commission and US government use the term Business Model. The increased awareness of BMs [1720] have intensified the search for a generic business model language. However, with increased use and research of BM the fuzziness on how the BM really is constructed has increasedeven more.

The focus on being first with a generic and commonly accepted BM language has increased drastically in recent years [20, 21]. The emphasis on the BM’s dimensions has been the topic of many academic papers and works [20, 21]. Many have been focusing on the question of how many dimensions does the BM really consist of. Some propose 4, while others propose 6, 7, 9 and 12 dimensions. This raises the question to, how is a business model really constructed and will we ever be able to find the generic dimensions and construction of the BM? Further, can we distinguish one BM’s construction from another BM or are they really built around the same generic dimensions? In this context we need to have some further clearance to be able to point to where will the GDPR have an impact business wise and economically on business BM’s.

These questions therefore imply the increasing importance of thoroughly knowing and finding the dimensions of the BM. This question is also related to another question of when can we talk about a new BM – an incremental and/or radical changes of a BM [21] and does that influence the generic construction of the BM. In other terms will the new GDPR further influencefuture BMI?

The focus is therefore firstly and primarily on the dimensions and construction of any BM although this is no longer deemed sufficient to cover the whole BM theory framework as it is just one focus of many – a fragmented part of the whole business model environment, research and discussion. Today, the focus of the BM seems to be changing towards a more holistic BM discussion taking in the BM’s relations to other BMs and the BM’s environment – leaving the basic BM dimensions and constructions behind. Again in other words where will and will the GDPR influence the relations part of BM’s and relations between BM’s.

The focus of the Open Business Models (OBM) [22] and the innovation of BM seems to be very important here – because will GDPR influence the ability for businesses to do OBM and OBMI, which have had much research attention lately.

In an ever-changing and increasingly competitive global Business Model Ecosystem (BMES) [23], which is a result of the ongoing process of globalization and business model change, Chesbrough [22] emphasizes the need for even more BMIs, including developing open and different businesses models. However, how can a business follow this advice “without knowing” the basic construction and data of the BM? As basis of any BM discussion, we propose that any BMI must begin by understanding, defining its approach to a BM and the generic construction of its BM’s – in our sense what we call the dimensions of their BM’s.

In our study of this topic, we began already back in 2011 “bridging” different BM frameworks from different business model frameworks to the Business Model CUBE concept [16] and the Business Model Cube concept was adapt as an OMG standard in 2013.

In this context we found on behalf of our research that it was necessary to increase Abell’s original business model dimensions [24] from 3 to 7 dimensions and add some lacking BM dimensions to his dimensions. Further we could not verify in our research that a BM consist of less and more than 7 dimensions. Therefore we also had to increase Hagemann, Johnson and Christensens 4 element framework with 3 BM dimensions and reduce Osterwalders 9 building BM blocks to 7 BM Dimensions. After a long test period, where we tested the BM Cube framework in more than 400 businesses we had to conclude that The core business models 7 dimensions could be verified in all BM cases and refers to: “How a business wants to construct and intends to operate its “main” and “essential” business related to the seven business model dimensions – value proposition, user and/or customer groups, value chain functions [internal functions], competence, network, relations and value formula.” Further the Business Model refers to: “How a certain business model in the business is constructed and actually operates - “AS IS” BM – or is intended to be constructed – “TO BE” BM related to the seven BM dimensions – value proposition, user and/or customer, value chain [internal functions], competence, network, relations and value formula”.

However, in our research, we found that most businesses do not stick strictly to their core business and how they want their Business Model to look like and be. They have in fact a variety and a mix of BM’s with different value propositions, users and customers, value chains with different functions, competences, network, relations and value formulas. Especially we found that there can be very different cultures in different BM’s both inside the business and between its related business models (suppliers, customers e.g. BM’s) We found that one set of BM dimensions do not fit all business models, markets, industries, worlds – or what we call Business Model Ecosystems (BMES) [23]. These mix of dimensions – which we classify as different business models exist and coexists within the core business – what we call BMs inside the business – but also exists and coexists outside the business. Individual BMs are not necessarily aligned strictly to the core business model and the seven BM dimensions. All of them have their own specific sevenBM dimensions.

We argue therefore that a business’s different business models cannot be explained by just one business model – “the core business model” – but would with preference be better to be explained by more and different business models – however, still each with seven generic dimensions, but each with different characteristics on one or more dimensions. That means probably that the implementation of GDPR will influence differently one BM to another, one BM dimension to another and one BMES to another.

3 Research Methology and Appraoch

The data for the paper was gathered in 2015–2018 on behalf of interviews, email correspondence and observations at physical meetings. Further data material was made available to the researcher so we could see and go through the material.

The research was established as a case research and 3 out of 11 case research are presented in the paper. Cases are referred to as anonymous – as we are not allowed to publish names yet openly.

4 Research Questions

From the above mentioned we try in this paper to answer 3 research questions on behalf of our empirical data collected in the case materials:

Where will and will the GDPR influence the relations part of BM’s and relations between BM’s?

Will GDPR influence the ability for businesses to do OBM and OBMI, which have had much research attention lately?

Will the GDPR influence the generic construction of the BM and will the new GDPR influence future incremental and/or radical BMI?

5 Case – ABM – B2B – Wholeseller

The ABM Business is a very large whole seller business within the building construction line of business. A B2B wholeseller that previously had a very advanced CRM system with a lot of data on its business partners – a very core competence in the business – that due to the new GDPR regulation are meet with a requirement of deleting personal data registration. These registration was previously used to help better customers service, improve customer meetings, timely follow up by sales people to prevent waste of time for customer, higher quality of service and information from sales and production in the business towards the customers, transfer of knowledge of the customer to new sales employee and marketing department. The business was also interested in B2B supplier information related to getting better procurement agreements. These information gave previously very large advantage to the business and were stored in a kind of CRM system that due to the new GDPR regulation were meet with strict regulations and requirements of data erasement after certain time limits.

The GDPR regulation does not concern the processing of information that is deemed anonymous, including for statistical or research purposes. However it leaves the business, business departments, business employees with an increase workload to secure that data are erased and old data are not filed but erased. A general procedure have been send out by the business central administration but it is very difficult to control that all departments and employees follows the rules. Therefore the business have made a strong communication effort to all employees and have further informed that any brake of the business data protection rules can have consequenses to head of department and employees. This has made all head of department take this new regulative very serious and they have put much effort in meeting the regulative. However many feels that the regulative resource wise is not convenient efficient to the business.

6 Case 2 – AMN B2C – Retailer Business

A B2B retailer in the pharmacy line of business was not particular aware of the new GDPR regulative. In the business they had previously register in their database system – equal to a CRM system – habits, preference and requirements of their users and customers, which help them to give

  • better user and customer service
  • prevent customer complaints at desk

when servicing customers during the sales process. Especially elderly people, disable people and people with specific diseases, and special needs for medicine valued from this registered knowledge at the medicine shop. AMN often felt a high pressure on expeditions as number of opening hours were diminish to save cost, request on productivity especially to employees were continuously increased and user and customers were increasingly asking for more service, new and better customer service. Further several of the users and customers were becoming more and more impatient – like a general trend seen in the retail line of business. It was therefore outmost important that the employees were well educated, well trained in customer service and well prepared on customers demands and special demands that could be difficult to handle. This was previously handle by data registration and employee training and individual “special customer knowledge”. Lately some episodes had occurred which had coursed unhappy and stressed employees. The AMN feared this.

The GDPR is expected to influence the value proposition dimension from AMN – especially service dimension and value proposition process to their users and customers. More value chain functions has to be carried out and it is expected that the user and customer satisfaction would decrease. The competence dimension – especially the human resource, organizational system and culture in the different business models would definitely be influenced by the GDPR regulation. Further it is expected that the cost in the business will increase due to the GDPR regulative.

7 Case 3 – ABO – G2C Research/Eduation Business

A business in the research and education line of business had as a service and BMI project to try to tailor make their teaching and education environment to the students in the institution. The institution had in some cases experienced, that a smaller student group was leaving the institution more than other students group and some because they felt that they did not receive the value propositions they had expected. The institution had for some years made a competence profile mapping of each students to help form groups, help to understand better their users needs and competences. They used the competence profile system developed by a software business that hosted the data on a secure host – tailor made for the purpose.

By 1st of June 2018 these data had to be deleted and all data from previous years had to be erased due to the new GDPR regulative. The supplier was informed to take this action by the management of the ABO. This would expectedly prevented the institution to continue improvement, continuous innovation of the studies and study environment, together with preventing them from learning, measuring and following up on specific actions on a long term scale.

8 Discussion and Reflection

The new GDPR gives rise to many discussions and controversy in many businesses. All though thousands of amendments have been proposed the single set of rules and that the removal of administrative requirements were supposed to save money. We found however in our research clearly that the business had realized increasing cost due to more procedures – more value chain functions to be carried out, more technology and software necessary to be bought, more hours spend by HR to live up to the necessary GDPR requests, change in organizational procedures and structures together with implementation of new culture. Further several of the employees and managers especially were frighten about the consequences – large fines – if the GDRP –procedures e.g. was not followed. Further GDRP regulation made a kind of irritation and negative motivation to be requested to do more procedures. It was felt by managers and employees like extra frictions to the business and its business models – especially on value chain function dimensions.

The biggest challenge for the business might be the implementation of the GDPR in practice – especially for the small and medium size business. The implementation of the GDPR require comprehensive changes to the businesses practice – especially for businesses that had not implemented a comparable level of privacy before the regulation.

Several of the business had a lack of privacy experts and knowledge as of today and new requirements on private data protection and handling. Therefore there were in more of the business studied a strong need for education in data protection and privacy. However many of the businesses did not have extra resources to use on this issue – although they saw it as a critical factor for meeting the new GDPR demands.

Different interpretation of the GDPR regulation inside the businesses (managers and employees) and outside the businesses (customers, netowrkpartners e.g.) lead to very different levels of GDPR solutions and privacy handling.

Several other issues and challenges raises also related to the Business and Business Model perspective.

In a time perspective it is now difficult or much more difficult to follow a BM and BMI project with all data storage inside the business over a long time periode. Of course the business can anonymize the data – but in several cases this is not appropriated.

Value proposition perspective – especially service and process together with the user and customers becomes more difficult to handle and carry out.

Customer complaints can be more difficult to prevent and handle – due to “the knowledge” around a user and customer can no longer be stored or becomes more difficult to access.

GDPR will definitely going to influence the ability for businesses to do OBM and OBMI. More business will be reluctant to open their business to other businesses – due to security issues related to GDPR. More business will be reluctant or be restrictive to use user and customer data – the latest Facebook case show what the consequences of using data, sharing data with customers and networkpartners can be.

OBMI is expected to be reduced because data cannot or are not allowed to flow so openly as before the GDPR regulative was implemented. Businesses have to use and invest in secure systems for their OBMI and this will cause friction and less agility in BMI. That’s why many business are looking for a secure and trustfull system to do BMI at – however this has to come in the next coming future.

9 Conclusion

From the above mentioned we tried to answer 3 research questions on behalf of our empirical data collected in the case materials.

We found that the GDPR expectedly and also empirically verified will have an impact on especially the BM dimensions – value proposition – specific user and customers service – in some case reduced customer service, value chain functions – increased numbers of value chain functions has to be carried out, value formula – because cost will increase due to increasing data protection cost have to be included in the value formula. Also the relations part – both tangible and intangible relations have to be increased, which will and have already caused friction and slower business model operations. The number of relations to other BM’s will in some cases increase because several businesses will be responsible of suppliers and customers taking care of sticking to the regulative of GDPR – a new tangible or intangible control system has to be establised. Some of the business we studied tried to solve these increasing procedures via support of ICT. However a secure and trustfull system is still a BMI to be come.

GDPR will definitely influence the ability for businesses to do OBM and OBMI, because more business will be reluctante to open their business to other businesses – due to data security issues. Also OBMI will be reduced because data cannot flow so openly and flexible as before the regulative.

The GDPR will not influence the generic construction of the BM as such but will and BMI component – by increasing the numbers of data related components in the business models dimensions. From the cases we studied it is not possible to answer the question of GDPR will influence future incremental and/or radical BMI? However it seems as if GDPR will push to more incremental BMI as radical BMI, often do not take into consideration GDPR procedures and will include very high risk – please see the regulatives proposed fines [12]. Also it will be more difficult to access private data – especially on a long term and process based perspective.

We expect therefore on behalf of our empirical studies that GDPR implementation probably will influence very differently one BM to another, one BM dimension to another and one BMES to another.

10 Further research

The research group intent to continue the investigation of the GDPR impact. At the moment we are investigating more cases to find out solutions to prevent BMI’ to become slow and keep BMI at a high speed.

References

[1] http://data.consilium.europa.eu/doc/document/ST-9565-2015-INIT/en/pdf

[2] “Directive 95/46/EC”

[3] Blackmer, W. S. (2016). GDPR: Getting Ready for the New EU General Data Protection Regulation. Information Law Group, InfoLawGroup LLP, Retrieved, 22(08), 2016.

[4] New draft European data protection regime. m law group. Retrieved 3 January 2013.

[5] Albrecht Jan Philipp “Inofficial consolidated version GDPR”. Retrieved 9 December 2013.

[6] Article 83 of The Council’s first reading after the trilogue sets maximum fines to be the highest of 4% of global turnover and 20 million Euro. The Commission adopted the views of the Council’s document 11 April 2016, see COM/2016/214/FINAL and ST 5419 2016 ADD 1 – 2012/011 (OLP).

[7] European Commission’s press release announcing the proposed comprehensive reform of data protection rules. 25 January 2012. Retrieved 3 January 2013.

[8] EUR-Lex – Art. 37. eur-lex.europa.eu. Retrieved 2017-01-23

[9] “Privacy and Data Protection by Design – ENISA”. www.enisa.europa.eu. Retrieved 2017-04-04.

[10] Article 83, GDPR.

[11] Baldry, Tony; Hyams, Oliver. “The Right to Be Forgotten”. 1 Essex Court.

[12] “European Parliament legislative resolution of 12 March 2014 on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)”. European Parliament.

[13] Overview of amendments. LobbyPlag. Retrieved 23 July 2013.

[14] Guidelines on Data Protection Officers (PDF). Retrieved 23 January 2017

[15] Irion, K., Yakovleva, S., and Bartl, M. (2016). Trade and Privacy: Complicated Bedfellows? How to achieve data protection-proof free trade agreements.

[16] Lindgren, P., and Rasmussen, O. H. (2013). The business model cube. Journal of Multi Business Model Innovation and Technology, 1(3), 135–180.

[17] Zott, C., Amit, R., and Massa, L. (2010). The business model: Theoretical roots, recent developments, and future research. IESE business school-University of Navarra, 1–43.

[18] Teece, D. J. (2010). Business models, business strategy and innovation. Long range planning, 43(2–3), 172–194.

[19] Casadesus-Masanell, R., and Ricart, J. E. (2010). From strategy to business models and onto tactics. Long range planning, 43(2–3), 195–215.

[20] Krcmar, H. (2011). Business model research: State of the art and research agenda. Bericht, TU München, München.

[21] Fielt, E. (2013). Conceptualising business models: Definitions, frameworks and classifications. Journal of Business Models, 1(1), 85.

[22] Chesbrough, H. (2007). Open Business Models How to Thrive in the New Innovation Landscape. Harvard Business School.

[23] Lindgren (2016). The Business Model Ecosystem Journal of Multi Business Model Innovation and Technology RiverPublishers.

[24] Abell, D. F. (1980). Defining the business: The starting point of strategic planning. Prentice Hall.

Biography

images

Peter Lindgren holds a full Professorship in Multi business model andTechnology innovation at Aarhus University, Denmark – Business development and technology innovation and is Vice President of CTIF Global Capsule (CGC). He has researched and worked with network based high speed innovation since 2000. He has been head of Studies for Master in Engineering – Business Development and Technology at Aarhus University from 2014–2016. He has been researcher at Politechnico di Milano in Italy (2002/03), Stanford University, USA (2010/11), University Tor Vergata, Italy (2016/2017) and has in the time period 2007–2011 been the founder and Center Manager of International Center for Innovation www.ici.aau.dk at Aalborg University, founder of the MBIT research group and lab – http://btech.au.dk/forskning/mbit/ – and is cofounder of CTIF Global Capsule – www.ctifglobalcapsule.com. He works today as researcher in many different multi business model and technology innovations projects and knowledge networks among others E100 – http://www.entovation.com/kleadmap/, Stanford University project Peace Innovation Lab http://captology.stanford.edu/projects/peace-innovation.html, The Nordic Women in business project – www.womeninbusiness.dk/, The Center for TeleInFrastruktur (CTIF) at Aalborg University www.ctif.aau.dk, EU FP7 project about “multi business model innovation in the clouds” – www.Neffics.eu, EU Kask project – www.Biogas2020.se. He is author to several articles and books about business model innovation in networks and Emerging Business Models. He has an entrepreneurial and interdisciplinary approach to research.

His research interests are multi business model and technology innovation in interdisciplinary networks, multi business model typologies, sensing and persuasive business models.

Abstract

Keywords

1 Introduction

2 Business and Business Models

3 Research Methology and Appraoch

4 Research Questions

5 Case – ABM – B2B – Wholeseller

6 Case 2 – AMN B2C – Retailer Business

7 Case 3 – ABO – G2C Research/Eduation Business

8 Discussion and Reflection

9 Conclusion

10 Further research

References

Biography