GDPR – an ethical stake in the ground or simply a handbook to compliance?

  • An Article-by-Article analysis of GDPR
  • Answering the question whether GDPR aims to protect the principles of data privacy, or whether it simply outlines legal mechanisms
  • Provides a behind-the-scenes understanding of the context of GDPR and its purpose



Look at GDPR differently

GDPR has now been live for 18 months – but is it well-understood?


When it arrived, it was intended to codify and protect data subjects’ rights in a way that no legislation had ever achieved before.


But did it succeed? In practice, does GDPR protect the principles of data privacy? Or did it drift into becoming simply another set of legal requirements?


The distinction is important. If businesses underappreciate the principles embedded within GDPR, their adherence efforts will miss the point. Alternatively, if GDPR is too principled, the legislation is not for purpose. Dozens of countries are basing their own data privacy legislation on GDPR, so if GDPR has failed in either way, we need to identify that danger now.


Download your copy of Calligo’s unique Article-by-Article visualization of GDPR, examining where it sits between codifying ethical principles versus prescribing legal mechanisms.

Download Now

Download PDF

The role of legislation

What is the role of legislation? To record and codify the moral expectations that members of a society have of one another, or to lay out an emotionless framework of how to comply – and prove that compliance – with a set of rules?


Predictably, it lies somewhere in between. Lawmakers have a duty to do both. But in trying to find that balance, every piece of legislation ends up leaning one way or another.


And in so doing, depending on which way it leans, it either loses sight of the need to protect fairness, or it fails to serve as a workable, functional framework for individuals and organizations to follow.

Fairness or function – where does GDPR feature?

Given GDPR is arguably the most influential piece of data privacy legislation ever created, and the closest reflection of society’s sensitivity that the data privacy community has ever seen, it is important that we understand where on the fairness-function scale it sits.

Does GDPR serve to protect society’s determination of what is an ethical use of data? Or is it a dehumanised handbook for compliance?

Many have argued that GDPR has lost its way. Many feel its originally planned status as a formalisation of absolute data rights has eroded away, leaving a sterile set of requirements that dictate how to prevent a data privacy challenge.

Is this fair?

To answer this, we need to examine each clause in turn.
We have scrutinized each of the 45 key Articles of GDPR and judged them on two scales:




Whether the Article’s role is to protect an ethical principle, or is a description of a legal mechanism for evidencing compliance, describing penalties or similar.






Whether the Article addresses a concern keenly or commonly felt by data subjects or businesses.



For example, Article 22 – dealing with limiting the exposure of data subjects to automated decision-making and profiling – scores very high for protecting an ethical principle, but is also an Article that businesses will focus on more frequently than data subjects. Many business’ whole propositions are entirely based on automated decision-making and profiling, while profiling is a comparatively minor concern of data subjects, who are typically more concerned about more fundamental rights, such as consent, security or lawfulness of processing in the first place.



Meanwhile Article 77, despite being entitled a “Right”, is actually a description of a legal mechanism – how to lodge complaints with supervisory authorities – not an articulation of an ethical principle, and is an Article that sits roughly in the middle of the Business-Data Subject spectrum of concern.

Article_77_SegmentMore articles are outlined below

For any legislation, not just GDPR, to truly work – to simultaneously protect ideals while making adherence to them practicable – one would expect it to have an equal balance of ethics-centricity and legal-centricity, and an equal focus on the concerns of people and businesses.

GDPR does not. In an examination of the 45 key clauses of GDPR:

  • 71% are legal mechanisms, while only 13% are ethical principles (remainder being neutral)
  • 64% are focused on matters that businesses are more likely to worry about than data subjects.

So, at first sight, it seems the critics are right – GDPR is a framework for compliance, not a codification of ethical principles. But this data does not tell the whole story.



What does this mean?

Remember this is simply aanalysis of the number of articles that exhibit certain traits 

Inaturally takes fewer Articles to encapsulate an ethical principle than it does to describe a legal mechanism. Especially to cover all of its ramifications, applicable scenarios or how it should be applied. It is purely a matter of relative complexity. 


Plus, the variety of areas of concern for businesses is naturally broader than those that data subjects are inclined to worry about. So perhaps the way in which the Articles’ legal focus outweighs the ethical and people-based focus is to be expected. But even so, it has had serious implications. 


Less than two years into its enforcement, GDPR has triggered more than E100m of fines – not including many of the bigger fines that have hit the press as they remain only proposed fines, or the hundreds of businesses that have received (final) warnings in lieu of fines 


Why so many breaches if compliance is prescribed so granularly? Because the point of GDPR is being missed by many businesses. GDPR may be one of the most ethically-focused pieces of legislation to have ever been drafted, but its overriding focus on legal mechanisms leads many organizations we encounter to busy themselves with “tick box compliance” rather than trying to adhere to the underlying ethical principles. The thinking is understandable: you can’t prove fairness, but you can prove the presence of privacy notices. But it’s not good enough.  


Businesses need to appreciate the significance of the lawmakers front-loading the GDPR with ethical principles in Chapter 3and look deeper at what GDPR is trying to achieve. And they must remember that most Supervisory Authorities have warned they are more concerned with the spirit than the letter of the law.  

GDPR is not a guide to compliance, it’s a guide to ethics.



Look at GDPR differently

Download your copy of Calligo’s unique Article-by-Article visualization of GDPR, examining where it sits between codifying ethical principles versus prescribing legal mechanisms



Download Now

Download PDF


The detail of how we have ranked the key articles

To build this analysis, we focused on the 45 key Articles of GDPR. We have included our commentary on why we have ranked some of them as we have, picking out the more interesting Articles.


We have excluded some clauses on the basis of:

  • Relative frequency of their applicability (e.g. we have excluded Article 81 on the suspension of proceedings)
  • Applicability to the business-people / ethics-legal debate (e.g. we have excluded Article 23 as it applies to governments, plus the whole of Chapter 7 which covers co-operation between supervisory authorities and the structure of the European Data Protection Board)

Our reasoning:

  Legal mechanism or ethical principle? Of more concern to data subjects or businesses?
  blue_key red_key
Chapter 1 – General Provisions
4.1 – Definition of ‘personal data’ At first sight, this Article is an equal balance between the two sides. However, it becomes a more principle-based Article concern as whether data relates to an “identifiable” person is highly subjective and quickly becomes an ethical conversation. Again, this is nearly an equal balance between the two sides. However, the same subjectiveness of “identifiable” makes it a more data subject-centric concern.
Chapter 2 – Principles
5 – Principles relating to processing of personal data This article is solely dedicated to outlining some of the key ethical principles on which GDPR is based Data subjects’ rights, concerns and objections are core to this Article, and while business’ remedial activities are based on these clauses, they are too high level to be of immediate practical concern to them. Whereas for data subjects, they codify their rights.
6 – Lawfulness of processing These Articles protect a core data privacy right, while also providing a framework for how to treat data subjects appropriately. Data subjects will rarely care which grounds their data is processed on, provided it is ethical. In contrast, businesses have to formally identify and evidence which grounds they are invoking.
7 – Conditions for consent Businesses care a great deal about consent, but for data subjects, this is one of the most critical and focused-upon issues. Businesses typically care a great deal about whether they have consent or not, but often dismiss it as they believe they have gathered consent legitimately – whether true or not. Meanwhile many data subjects feel under-informed as to what they have given consent for, or did not feel they had a choice, and will often object strongly.
8 – Conditions applicable to child’s consent in relation to information society services All of the above applies, but given it is regarding children’s data, it is of slightly greater concern for data subjects.
9 – Processing of special categories of personal data This is such an emotive and sensitive topic for data subjects, requiring such precise prescription and careful management by the business, that it has to sit in the middle of both spectrums.
Chapter 3 – Rights of the data subject
12 – Transparent information, communication and modalities for the exercise of the rights of the data subject These articles provide instructions of compliance, rather than specifically detailing or protecting an ethical principle. The article is mainly one that provides businesses with specifics of how to act, and while data subjects will rarely be concerned about these rules, if breached, they are likely to cause emotional reactions.
13 – Information to be provided where personal data are collected from the data subject The article addresses a joint concern of businesses and data subjects – the former will care about how to comply, while data subjects will care particularly when their rights are violated.
14 – Information to be provided where personal data have not been obtained from the data subject While businesses will be concerned about this, they often think this issue is covered in privacy notices. In contrast, data subjects are often particularly keen to know when and how their data was collected if no direct contact with the business.
15 – Right of access by the data subject These are the epitome of balance between legal and ethical – it is a legal framework to protect a data privacy ethical principle



These are a classic case of businesses and people caring equally about both the mechanics and the principle behind it.
16 – Right to rectification
17 – Right to erasure
18 – Right to restriction of processing Unlike the above, businesses care more about this one – mainly due to their common inability to comply. Data subjects want their data deleted, but businesses can rarely guarantee this and can only restrict usage, creating
19 – Notification obligation regarding rectification or erasure of personal data or restriction of processing This is a classic case of businesses and people caring equally about both the mechanics and the principle behind it.
20 – Right to data portability This is an article mainly concerning the mechanics of compliance While this is a matter that seems to concern businesses more than people, this is a matter of transparency, which can be an emotive subject for many
21 – Right to object These are the epitome of balance between legal and ethical – it is a legal framework to protect a data privacy ethical principle This Article is rarely invoked by data subjects as they prefer pure deletion, but businesses care a great deal as they have to be able to show they have the processes in place.
Chapter 4 – Controller and Processor
30 – Records of processing activities This is a fundamental requirement for businesses, and requires detailed prescription The specific requirements of this activity are not on data subjects’ radars, and do not need to be
Chapter 5 – Transfers of personal data to third countries or international organisations
Entire chapter: Articles 44-50



These articles provide instructions of compliance, rather than specifically detailing or protecting an ethical principle. Data subjects will rarely care about where their data is, only how it is treated. Businesses however have to have robust processes and permissions in place for any international transfer