As companies adapt their IT infrastructure to deal with new privacy regulations, they are coming up against a tradeoff between flexibility and efficiency. Highly integrated technologies facilitate the exchange and use of customer data. The problem is that these very interdependencies are an obstacle on the path toward compliance. Their efficiency has become a liability. That raises an interesting paradox. Can companies achieve competitive advantage by deploying less integrated technologies? To explore this, the authors of this article conducted a large-scale empirical study of 400 e-commerce firms to understand the implications of the tension between efficiency and flexibility on firm performance in response to GDPR. They found that firms that had built their websites for efficiency, electing tightly integrated services from closely linked suppliers, suffered disproportionately when GDPR came into force. In contrast, companies that deployed new combinations of technologies not extensively used before performed much better.
Europe has led the world in protecting consumers’ privacy. E-commerce companies catering to European customers had to comply with the European General Data Protection Regulation (GDPR) starting in May of 2018. Now, many states in the U.S. are adopting similar legislation. California’s Privacy Rights Act and Virginia’s Consumer Data Protection Act went into effect on January 1, 2023, while the Colorado and Connecticut Privacy Acts will become operative on July 1, 2023.
But as companies adapt their IT infrastructure to deal with new privacy regulations, they are coming up against a tradeoff between flexibility and efficiency. Highly integrated technologies facilitate the exchange and use of customer data. For example, e-commerce firms may rely on Google Analytics to track their customers’ behavior, and use Mailchimp for email marketing, which integrates easily with Google Analytics to analyze conversion rates of email marketing campaigns.
E-commerce companies have relied heavily on these highly interdependent technologies to make sure their websites ran efficiently. The problem is that these very interdependencies are an obstacle on the path toward compliance. Their efficiency has become a liability. That raises an interesting paradox. Can companies achieve competitive advantage by deploying less integrated technologies?
To explore this, we conducted a large-scale empirical study of 400 e-commerce firms to understand the implications of the tension between efficiency and flexibility on firm performance in response to GDPR.
When building a digital service like an e-commerce website, you can choose connected components, often from a small group of suppliers, that are commonly used together. This might make you more efficient in harnessing customer data. But you now have many strong interdependencies, and data sharing agreements with third parties, to consider when working towards compliance.
Unfortunately, tech firms that provide the software often struggle to ensure their own compliance and focus on optimizing their own performance during this transition, possibly at the expense of their users’ performance. For example, an EU-based firm that used YouTube and WordPress may have adopted Google Analytics to track its customers’ activity. The three components are interdependent, so that the firm faced more complex and costly adaptation to GDPR. Even though WordPress provides support on how to integrate Google Analytics, the firm would need to discover what GDPR meant for its WordPress website collecting data with Google Analytics. Moreover, the firm would need to ensure that any changes it implemented would not affect its ability to monitor video activity within Google Analytics. Producers such as Google took their time to adapt their components to ensure their own compliance, which generated additional uncertainty.
What would happen if instead of going with integrated technologies you rely on combinations of technologies from different suppliers that are not usually combined and don’t automate data sharing between each other? In our study, we found that firms that had built their websites for efficiency, electing tightly integrated services from closely linked suppliers, suffered disproportionately when GDPR came into force. In contrast, companies that deployed new combinations of technologies not extensively used before performed much better.
Our findings help address a larger set of questions at the heart of digital transformation. For example, should you source your backend from one supplier who promises optimal integration or create a flexible backbone that can accommodate an ecosystem of smaller, best-in-class services? Should you adopt a single platform, or app, for all your operations or allow every activity to have its own? These questions, like the question at the heart of our study, are different versions of the same underlying tension between efficiency and flexibility. In a stable world, designing for efficiency can give you an advantage, but as the environment gets more dynamic, flexibility becomes more and more critical.
As digital increases connection, interaction, and transaction, we find ourselves managing an increasing number of dependencies between your services, some of which we may not even realize exist. An e-commerce firm like Expedia can choose digital components from firms like Google and Meta. Expedia is affected not only by the interdependence between Google’s and Meta’s components but also by the interdependence between Google’s components and other components that Expedia has not chosen. Those interdependencies influence the functionality of Google’s components (e.g., whether Google Analytics can properly draw data from Shopify’s shopping cart solution), as well as Expedia’s options (e.g., whether Expedia could benefit from adopting Shopify).
In a stable environment, when everything is functioning well, these hidden linkages don’t seem relevant but when companies need to adapt to a new environment, they can seriously compromise performance. And in a world, in which new regulations are arriving at a rapid pace in response to growing concerns about the social consequences of digital technologies, flexibility can be as important as efficiency.
Rather than using well-known technology stacks — popular combinations of technologies that are often used together — a focus on recombination gave firms more flexibility in dealing with GDPR. For example, firms may choose a mix of proprietary and open-source technologies to reduce the number of interdependencies they need to consider. Instead of using a common set of technologies such as WordPress, Google Analytics, and Marketo, a firm replacing Google Analytics with the open-source analytics platform Matomo may face fewer complexities in their adaptation. By drawing solutions from different technology stacks, firms had developed experience with different types of services and suppliers, allowing them to switch between digital solutions while staying compliant with GDPR as needed.
By focusing their data strategy on flexibility and using loosely integrated sets of technologies, firms in the U.S. may be able to learn from the European experience and achieve a smoother transition to the new data protection legislation.
Europe’s General Data Protection Regulation (GDPR) has significantly impacted the technology stacks of companies across the continent. Since GDPR came into effect in 2018, companies have had to adapt their tools, processes and data management techniques to ensure compliance with the regulation’s stringent privacy and security requirements.
The regulation affects data controllers and processors across all industries, ranging from small businesses to multinational corporations. Depending on the company’s size, scope of operations and data processing practices, GDPR requires companies to update their technology stacks in a variety of ways.
One of the most important changes GDPR requires is the encryption of data. Under GDPR, companies must use appropriate technical and organisational means to ensure that personal data remains protected. As a result, many companies have adopted encryption technologies such as Secure Sockets Layer (SSL) and Transport Layer Security (TLS) when sending and receiving data.
Cloud storage and server infrastructure are also of utmost importance for GDPR compliance. To ensure that servers are secure and comply with GDPR, companies must deploy security solutions such as intrusion detection, two-factor authentication and data loss prevention measures.
Additionally, many companies have adopted data management technologies such as data discovery, classification and audit logging to quickly locate, secure and erase sensitive data in case a data breach occurs.
Finally, many companies are utilizing automated systems to ensure GDPR compliance. Automation technologies such as robotic process automation (RPA) and artificial intelligence (AI) can help companies automate and streamline data protection processes, detect data security issues and facilitate secure data transfers.
In conclusion, GDPR has required companies across Europe to update their technology stacks to ensure compliance. From encryption technologies to data discovery and automated systems, companies have had to invest in various solutions to remain compliant with the law. Doing so will help companies protect the data of their customers and safeguard their operations in the long-term.