The digital era is characterized by near-frictionless conversion of data into dollars—absent regulatory intervention, that is.
Privacy laws such as the European Union’s General Data Protection Regulation (GDPR) restrict corporations’ use of personal information. Nonetheless, Steven Maex, assistant professor of accounting at the Costello College of Business at George Mason University and a Unanet Corporate Partner Faculty Fellow, says that “privacy regulations such as GDPR can also spur firms to make improvements that will have wider consequences, including some potential benefits.”
Maex’s award-winning dissertation, which was turned into a recently published paper for The Accounting Review, delves into the short-term effects of GDPR on U.S.-based firms affected by the regulation, i.e., those processing the personal data of individuals located in the EU.
Utilizing over 28,000 firm-year observations over the eight-year period around GDPR’s adoption in 2016, Maex was able to track how GDPR-exposed companies responded to the new legislation. First and foremost, these firms appeared to improve their internal information quality (IIQ), or the accuracy, timeliness, and reliability of information used within the organization. IIQ is widely recognized as a key contributor to managerial decision-making and a natural consequence of the “information governance” processes the regulation encourages.
As an example, Maex explains, “Organizations facing regulations such as GDPR frequently start with an information classification exercise. It is a significant undertaking that involves identifying and documenting their data—what is it and where does it live? Then they can begin to get a sense of the risks they might be exposed to. While such an effort can support compliance with the regulation, it also can allow the company to better control and extract value from its most important data assets.”
Because IIQ is inherently unobservable, Maex could not measure it directly. Instead, he used widely accepted proxies based on publicly available financial and internal control reports. Maex found that with the introduction of GDPR, affected companies showed improved IIQ, which in turn was associated with greater operational efficiency, or the ability of the company to channel its inputs into revenue. “A key factor in management’s ability to coordinate operations effectively,” Maex says, “is having better information to help them make decisions.”
While this benefit is notable, Maex points out that GDPR also comes with significant compliance burdens. “Costs come in two streams. There are upfront compliance investments—for example, mandates for the development and installation of new data management processes and roles. And then there are ongoing costs and compliance frictions that come from managing personal data under the new regulation.”
While these costs outweigh the benefits to efficiency flowing through the channel of improved IIQ in the first few years after the adoption of the regulation, he speculates that the cost-benefit dynamics may also evolve as the GDPR enters its second decade. “In my view, the investments in information governance made in response to GDPR should have beneficial consequences that build over time.”
Broadly, his research highlights the connection between privacy regulation and the processes and technologies that organizations employ to manage their information. As privacy regimes expand around the world, accountants have a potentially significant role to play in shaping organizations’ responses, according to Maex’s recent commentary in Journal of International Accounting Research (co-authored by Jayanthi Krishnan of Temple University).
“The skillsets of accountants in evaluating risks and controls over information have traditionally been focused on financial information,” Maex explains. “The privacy space, the AI space, these are all going to require new assurance mechanisms. It’s going to entail accountants blending what they have always done with a greater understanding of technology and its legal ramifications, and developing new service offerings that will help companies stay ahead of these new risks.”
As one example, accounting professionals are increasingly called upon to validate the internal controls of service providers, such as payroll processors and data hosting platforms. For that purpose, the American Institute of Certified Public Accountants has expanded its System and Organization Control (SOC) report suite to include offerings around data security, privacy, and confidentiality.
For Maex, all roads lead back to information governance at the meeting point of risk mitigation and data capitalization. “I expect that some of the firms that will be best at leveraging new trends in technology will be those that previously were forced to put some of these data and privacy controls in place,” he says.