General Data Protection Regulation (GDPR) Implementation: What was the Impact on the Market Value of European Financial Institutions?

Personal data protection (PDP) is a big concern for political leaders, IT managers, information security consultants, the financial services industry, and the millions of people currently online. This paper analyses the impact that the most important European data protection regulation, the General Data Protection Regulation (GDPR), had on the market value of European financial institutions. Financial institutions collect and manage large amounts of personal data. Data protection is thus a key issue, and risks of non-compliance include financial, legal, and reputational risks. It is, therefore, interesting to find out whether stockholders recognized the real value and scope of GDPR. In order to examine the financial institution stockholder reaction to GDPR, we apply the event study methodology. We analyse a sample of 357 European listed financial companies, and we use daily market prices. In general, we find a significant positive reaction and note differences among European countries, showing that perception of GDPR impacts differed, probably because of uncertainty and worries about complying with new provisions, which required economic and organizational investment.


Introduction
Development, and sometimes misuse of Information Technology (IT) has increased the vulnerability of personal data (Gadzheva, 2008) 1 . There is a growing concern about personal privacy among political leaders, IT managers, information security consultants and the millions of people who currently go online (Toval, Olmos, & Piattini, 2002).
Continuous digital transformation is changing the way firms create value (Milkau, 2018), and this is impacting on the financial sector, like other sectors. Financial institutions collect and manage massive amounts of personal data, so personal data protection (PDP) is a key concern for them, particularly considering their exposure to cyber risk (Bouveret, 2018). The last few years have seen particularly important innovations brought in to counter cyber risk.
PDP is a fundamental right in the European Union (EU), and Directive 2016/1148 "Network and Information Security" (NIS) was issued with the aim of achieving a high level of security of systems and networks. PDP was also harmonized within the EU by Directive 95/46/EC (DPD), which aimed to prevent the misuse and unnecessary collection of personal data by regulating personal data processing. Directive 95/46/EC was valid until May 25, 2018, when the new General Data Protection Regulation -GDPR (Regulation EU 2016/679) came into force.
The GDPR aims to cover the gaps existing in the digital world, and regulates the impacts of data processing on PDP, including risks, rights, and freedoms. It comprises a single set of rules applicable to controllers (i.e. "the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data," Art. 4 GDPR) and processors (i.e. "a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller," Art. 4 GDPR) in the EU. There is also the need to protect all data produced in the EU and exported to countries outside it, standardizing all EU countries with specific rules. The GDPR thus applies to controllers and processors established outside the EU where goods and services are offered to individuals in the EU or where such providers undertake the monitoring of individuals in the EU (extended territorial scope, Art. 3 GDPR). The GDPR requires transparency and easily accessible information about the processing.
Moreover, whenever the consent of the individual is required for the processing of personal data, it has to be specifically given, freely, and unambiguously. The right to be forgotten is also established, and when there are no legitimate grounds for retaining them, data have to be deleted. Individuals also have the freedom to transfer their personal data from one service provider to another (data portability).
The new regulation introduces the principles of privacy by default and privacy by design. Briefly, privacy by design means that any action a company undertakes that involves processing personal data must be done with data protection in mind at every step: "The controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects" (Art. 25 GDPR). Privacy by default means that once a product/service has been launched to the public, the strictest privacy settings should apply by default, without any manual input from the end-user: "The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage, and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons" (Art. 25 GDPR). The GDPR envisages the need for organizations to start an implementation process. It provides for the designation of a data protection officer (DPO) as a new figure in charge of data processing, and it increases the responsibility and accountability of a public body for processing where its key activities require systematic monitoring of individuals or involve processing big data.
The GDPR entails a risk-based approach, and also provides for the obligation to carry out data protection impact assessments (DPIAs), which are a risk management tool (Gellert, 2018). The controller or the processor is required to consult the supervisory authority if the DPIA reveals a high risk to the rights and freedoms of natural persons (Art. 35 GDPR).
A further objective of the EU is to raise the level of security against cyber risk. The GDPR makes the notification of data-breach mandatory: companies that experience data breaches must notify regulators and individuals whose personal data was compromised no later than 72 hours after the breach or after it is discovered. This obligation may increase reputational risk, which is a key issue for financial institutions.
A major contribution of this study to the existing literature is to analyse in what ways the GDPR affected the market value of some Western European financial institutions, which are personal data intensive. We investigate a sample of 357 listed financial institutions located in France, Germany, Italy, and Spain, the main countries of Western Europe. Our main research question is the following: What was the impact of coming into force of GDPR on the European financial stock market? In order to answer the research question, first, we run an event study. The null hypothesis is that there is no significant impact of GDPR coming into force on the market value of financial institutions included in the sample. The main result of the study is that there were different reactions among the main Western European countries, but we find a significant positive reaction over some event windows. We also analyze the determinants of Cumulative Abnormal Returns (CARs) by estimating an ordinary least squares (OLS) multivariate regression, and we observe that some macroeconomic variables and firm characteristics affect the returns.
The rest of the paper is organized as follows: Section two presents a summary of the main literature concerning personal data protection. Section three describes the sample we analysed and the methodology we used. Section four explains our results, and Section five concludes.

Literature review
With advances in technology and globalization, the capacity of businesses to collect, store, and exchange digitized data from any location around the world is getting stronger and bigger (Greisiger, 2001). The development of social media, big data, smartphones, and cloud computing has led to a big increase in the processing of digital data.
Big data is central to many cloud computing services and is circulated by them (Bartolini, Santos, & Ullrich, 2018). Organizations of all types and sizes increasingly realize the benefits of putting their applications and data onto a cloud, considered as a disruptive technology (King & Raja, 2012;Kshetri, 2013). Cloud computing can facilitate the sharing of information, leading to gains in efficiency and effectiveness in developing and deployment, as well as saving costs in purchasing and infrastructure maintenance (Chen & Zhao, 2012). The positive effects of fintech innovations may, however, be obtained at the expense of consumer privacy (Mikkonen, 2014).
The growing complexity of data processing is also contributing to increasing the asymmetry of information between data controllers and individuals. Data protection is thus an extremely significant concern (Hallinan, Friedewald, & McCarthy, 2012;Lachaud, 2018). As noted above, the protection of personal data across Europe was harmonized by Directive 95/46/EC (DPD), which was valid until May 25, 2018 when the new General Data Protection Regulation -GDPR (Regulation EU 2016/679) came into force (Custers et al., 2018) 2 . The GDPR is the EU response to increased concern about data protection (Reding, 2011). As it is a "Regulation," rather than a "Directive," it has been directly applied to all EU member states, thereby ensuring uniformity (Thusing & Trauth, 2013).
The main aim of the GDPR is to provide individuals with better means for controlling and managing their personal data (Mantelero, 2013). In fact, as noted by Goodwin (1991), personal freedom is a basic consumer right, and one of the main features of the GDPR is the right to data portability (De Hert, 2018). From the user perspective, this impacts in terms of control of personal data and terms of a more user-centric interrelation between services.
In general, the GDPR is both a challenge and an opportunity for individual users and companies, particularly for those collecting and processing personal data (Tikkinen-Piri et al., 2018). The right to data portability can, for example, contribute to increase the interoperability of services and competition (De Hert et al., 2018).
Nowadays, customers are concerned about privacy and their personal information being disclosed by financial institutions (Lacher, 2002;Sheehan & Hoy, 2000;Tsarenko & Tojib, 2009). Financial institutions, in fact, hold personal data that is extremely vulnerable and which could see the subject becoming a victim of fraud or other financial crime (Baker, 2017). Events like the theft of credit card numbers or identity attract the attention of the public, and policymakers, to personal data protection (Peeples et al., 2005). In the financial sector, the level of consumer concern is often driven by the level of trust (Donilcar & Jordaan, 2006;Singh & Hill, 2003). Trust is even more important in the retail banking sector because customers tend to be less loyal, more price-sensitive, and seek to maximise value (Wright, 2002). When there is no trust, customers are less likely to share their personal information (Hubbell and Redding, 2003;Ndubisi and Wah, 2005). Financial institutions own duty of confidentiality to the people whose data they hold (Mourby et al., 2018) especially as this data is often sensitive, i.e., relating to "special categories" requiring extra security, such as racial or ethnic origin. Companies which collect and process large amounts of personal data, including financial institutions offering financial services (often online), are required to adopt a risk-based approach and establish a set of risk management procedures, including risk criteria, risk identification and risk assessment (ISO, 2009;Negenman, 2018). Compliance with data protection legislation requires a business to adapt to the new rules. The GDPR, in fact, has numerous practical implications for businesses, including review of processes and practice, revision of technological system design, and personnel training. In other words, GDPR requires awareness of the need to adapt, and new investments (Mikkonen, 2014). Severe sanctions and penalties are imposed in the case of infringement 3 . There is a real "non-compliance risk" (Gellert, 2018): noncompliance with GDPR exposes companies to financial, legal, and reputational risks.
Moreover, data security is linked to cybersecurity (Kemery Sipes et al., 2016). Cyber risk is particularly important for financial service firms, which are moving to faster, more responsive 24-hour online services to meet customer demand (Malhotra & Sigh, 2009;Sydekum, 2018). It follows that cybercrime is also rapidly evolving, and it is becoming increasingly difficult for legislation to keep up (Zerlang, 2017). In this perspective, the GDPR presents an opportunity to increase convergence between cybersecurity and compliance.
For companies, preventing privacy breaches is often a priority because they can have a considerable negative impact on employees and customers (Oetzel & Spiekermann, 2014) as well as causing damage to finances and reputation. Reputational risk is, in fact, defined as "risk arising from negative perception on the part of customers, counterparties, shareholders, investors, debt-holders, market analysts, other relevant parties or regulators that can adversely affect a bank's ability to maintain existing, or establish new, business relationships and continued access to sources of funding" (BIS, 2009, p.19). Reputation has particular importance in the financial sector because there is asymmetric information (financial institutions make a qualitative-asset-transformation), and because the supply of payment and risk management services creates a systemic risk (Bhattacharya and Thakor, 1993;Santomero, 1997 and2001).

Data
This research investigates the reaction of the financial stock market in Germany, France, Italy, and Spain to the implementation of the GDPR, given that there were differences between national legislations of the main European countries. We choose to base our analysis of three of the "big four" (i.e., Germany, France, and Italy) 4 and one country in several ways similar to them, representing the other portion of Western Europe (i.e., Spain). We analyse an initial population of 421 financial companies, operating in the banking, insurance, real estate, and other financial services industries. We use daily stock market prices (adjusted for dividends and splits), which are sourced from the Thomson Reuters Datastream database. We excluded from the sample the companies for which we could not find the necessary data. Our final sample is thus composed of 357 European financial companies (corresponding to 85% of the initial population), including 64 banks, 28 insurance and reinsurance companies, 142 real estate companies, and 123 financial services companies. Considering the mentioned West Europe countries, we obtain four subsamples as follows: (1) the German sub-sample includes 147 financial companies of which 14 banks, 12 insurance and reinsurance companies, 66 real estate companies, and 55 financial service companies; (2) the French sub-sample includes 120 financial companies, of which 19 banks, 5 insurance and reinsurance companies, 55 real estate companies and 41 financial service companies. (3) the Italian sub-sample includes 60 financial companies, of which 20 banks, 9 insurance and reinsurance companies, 9 real estate companies and 22 financial service companies; and (4) the Spanish sub-sample includes 30 financial companies, of which 11 banks, 2 insurance and reinsurance companies, 12 real estate companies and 5 financial service companies. Tables 1 and 2 show our sample composition and descriptive statistics of total assets of the 357 financial institutions considered in the analysis. Table 1 reports the sub-sample composition. The overall sample includes 357 financial companies, of which 147 are German, 120 are French, 60 are Italian, and 30 are Spanish.

Table 1. Sub-samples composition
The table reports descriptive summary statistics (in EUR million) for the total assets of the 357 financial institutions. Reported are the mean (µ), the standard deviation (σ), the median (med), the minimum (min), and the maximum (max).

Event Study
In order to analyse the impact of the entry into force of the GDPR (i.e., the event), on May 25, 2018 (i.e., day zero), on the market value of European financial institutions, following previous studies (Campbell et al. 2003;Gordon et al. 2011), we run an event study. The null hypothesis is that the event has no impact on the distribution of returns.
Event study methodology has been widely used in banking and finance literature (see, e.g., Brown & Warner 1980). The assumption that the financial markets respond to news affecting the value of security means that cumulative abnormal returns are able to capture the implicit and explicit costs of new data protection regulation (Iheagwara, Blyth & Singhal, 2004;Kerschbaum, Spafford, & Zamboni, 2002;McConnell & Muscarella, 1985). Stock prices on the days surrounding the event can capture the impact of that event and measure the economic cost/benefit of the new rules. This use of event study methodology is in fact, based on a semi-strong version of the efficient market hypothesis (Fama et al. 1969), asserting that current stock prices reflect not only historical price information but also all publicly available information relevant to a company's securities. Appraisal of the event impact requires a measure of the abnormal return (AR), which is the forecast error of a specific normal return-generating mode. Specifically, the AR is the actual ex-post return of the security over the event window (EW) 5 minus the normal return of the firm over the event window. The normal return is defined as the expected return without conditioning on the event taking place. In other words, estimated ARs are defined as the company stock return obtained on a given day t, i.e., when the cyber-attack is announced, minus the predicted "normal" stock return. We estimate daily AR using the Sharpe (1963) market model 6 , which relates the return of any given security to the return of the market portfolio, as follows: where Ri,t is the stock rate of return of the affected company i on day t; Rm,t is the rate of return on the market index on day t; αi is the idiosyncratic risk component of share i; βi is the beta coefficient of share i and εi,t is the random error 7 . The αi and βi coefficients were estimated for each company using an ordinary least square (OLS) regression of Ri,t on Rm,t for a 121-working-day estimation period (from the 21 st to the 141 st day before the coming into force of the GDPR) 8 . The event window is defined as the time window that takes into account -τ1 days before and +τ2 day after the date of the announcement. Following a standard approach, we consider various event windows with different lengths, with the widest lasting from 20 days before the announcement day to 20 days after it. Because our sample includes a large set of firms belonging to different financial sectors, we select the following European sector-specific market indexes: MSCI Europe Banks, MSCI Europe Insurance, MSCI Europe Real Estate, and MSCI Europe Financials 9 . We use the market index total return as our proxy of Rm,t 10 . Using the firm-specific parameters estimated for the market model over the estimated period (MacKinlay 1997), the ARi,t is measured as follows: The average AR for n firm shares on day t (ARt) of the event window is measured as follows: 5 The event window is the period in which the security prices of the firms involved in the event are examined. 6 The market model is used as the normal performance return model. 7 Specifically, εi,t describes the random component of the linear relationship between Rm,t and Ri,t. 8 The most frequent choice is to use the period prior to the event window for the estimation window (MacKinlay, 1997). 9 We ran a check using the national index of each financial sector but the results are not significantly different from those we obtained by using MSCI Europe. 10 Some studies use a set of control firms in the same industry to assess AR (e.g., Cooper et al., 2001).
The concept of cumulative abnormal return (CAR) is necessary to accommodate a multiple period event window. The CAR from τ1 to τ2 is the sum of the included abnormal returns: ( 1, 2) = ∑ , 2 = 1 (4) where the (τ1, τ2) is the event window. The average CAR for the event period [CAR (τ1, τ2)] is measured as follows: where n is the number of events. We test the statistical significance of CARs using the Boehmer et al. (1991) test statistic Z to capture the event-induced increase in return volatility as follows: where n is the number of the stocks in the sample and SCAR (-τ1, τ2) is the standardized abnormal return on stocks i at day t, obtained following the Mikkelson and Partch (1988) approach as follows: where Rm is the average return on the market index in the estimation period, σi is the estimated standard deviation of AR on stock i, T is the number of days in the estimation period, Ts is the number of days in the event window and all other terms as previously defined. The Z test in Equation (6) has a t-distribution with T-2 degrees of freedom and converges to a unit normal. We also carried out the following two tests. The first, (T1), described by Campbell et al. (1997), verifies whether the event has any influence on CARs (null hypothesis) as follows: The second, (T2), called the Sign test (Peterson, 1989;Campbell et al. 1997;MacKinlay, 1997), is a non-parametric test used to validate the results of the test Z and T1, as follows: where N is the number of events and N (+) is the number of events with positive CAR. The null hypothesis is represented by the absence of significant CARs at the time when the GDPR came into force. The key parameter of the T2 is the median sample and the null hypothesis is rejected when a significant number of positive CARs are recorded.

The determinants of Cumulative Abnormal Returns
We identify a set of potential determinants of Cumulative Abnormal Returns (CARs).
In particular, consistently with previous studies using the even study methodology (e.g., Kiymaz, 2004;Nagano, 2013), we consider some macroeconomic and firm characteristics. The macroeconomic variables of different countries we analysed are the following: Gross Domestic Product -GDP (i.e., the annual change in GDP), Government debt and Consumption per capita. Macroeconomic data are sourced by Eurostat. We also examine the following characteristics of the financial companies included in our sample: total assets (log total assets), market-to-book value (i.e., the ratio between market capitalization and book value), price-to-earnings ratio (i.e., the ratio between share price and per-share earnings). Firm data are sourced by Thomson Reuters Datastream database.
In order to investigate how CARs are influenced by macroeconomic and firm variables, we use an OLS regression. Following other studies adopting event studies (e.g. Muradoglu & Sivaprasad, 2012), we estimate the following multivariate linear model: ( 1, 2) = 0 + ∑ + ∑ + where, CAR(τ1,τ2) are the cumulative abnormal returns calculated in the event window (τ1,τ2); x1i, …, xki are the mentioned independent variables, with i = 1, 2, …, n. We run the regression controlling for sector fixed effects (Cont are control variables).
Our results show that there is evidence of the financial stock market reaction to the coming to force of GDPR. In general, the average CARs are negative, but we note that the average CARs of the event windows (-20; -1) and (0; 20), 0.914% and 0.858% respectively, are positive and highly significant.
It would seem that before GDPR, there were negative (non-significant) expectations. The initial reaction was probably due to the high uncertainty surrounding the new provisions and concern about being compliant.
During longer periods before [EW (-20; -1)] and after [EW (0;20)] May 25, 2018, we find that the market recognizes a positive (and significant) value of GDPR. This is probably because the stock market better understands the objectives of the new regulation aimed at protecting personal data, which are a valuable asset for investors and financial companies. Financial institutions are, in fact, making increasing use of customer data, particularly through new technologies (EBA, 2016). Other factors affecting the use of personal data by financial institutions include the willingness of consumers to share their data, as well as the need to offer new digital services or traditional services through new digital channels. Like other sectors, the financial sector is currently characterized by increasing customization of products, tailored marketing, and the proliferation of new types of services (e.g., peer-to-peer lending, telematics insurance, robo advisoring). Financial enterprises are making intensive use of big data today. They will continue to do so in the future, and data protection, confidentiality, and security of personal data are key issues, as is the efficacious regulation of the field.
Our results are consistent with studies (e.g., Custers et al., 2018), which show that there are significant differences in how EU member states deal with PDP, in terms of national laws, policies, and practices. Moreover, even though PDP was harmonized by the GDPR, differences still exist today among European countries.

Regression results
Our results are reported in Table 8. Our regression linked the CARs calculated for the symmetric event windows and the determinants under investigation. That way, we consider the longest observation period [CAR (-20; 20)] and the shortest event window, which includes the day before and after the event [CAR (-1; 1)].We report results for five model: column (1) refers to model where the dependent variable is CAR (-20; 20); the other four columns reports results when the dependent variable is CAR (-10; 10) (column 2), CAR (-5; 5) (column 3), CAR (-3; 3) (column 4), CAR (-1; 1) (column 5). In Table 8, we estimate the OLS multivariate regression in which our dependent variable is the CAR (-20; 20) (column 1), CAR (-10; 10) (column 2), CAR (-5; 5) (column 3), CAR (-3; 3) (column 4), CAR (-1; 1) (column 5). ΔGDP is the annual change in GDP; market-to-book value is the ratio between market capitalization and book value; price-to-earning ratio is the ratio between share price and per-share earnings) The last three variables refer to the financial sectors of companies included in our sample.
Our results show that CARs increase as GDP and consumption per capita increase. In other words, the general economic situation affects the CARs of financial companies. Government debt is the only macroeconomic variable that is not significant. Regarding firm characteristics, total assets, measuring the company size, and market-to-book value ratio are significant. Total assets affect the CAR (-1; 1), whereas the market-to-book value ratio contributes to determine CAR (-10; 10), CAR (-5; 5) and CAR (-3; 3). This suggests that the size of firms and investors' expectations on the profitability of the companies and the future value of them affect the CARs. Finally, financial services firms show higher CARs than other sectors, in the event windows (-10; 10), (-5; 5), (-3; 3), and (-1; 1).

Conclusions
Globalization and technological development, including social networking and online services, increase the risk of personal data disclosure and dissemination. Moreover, personal data collection and processing are conducted in an increasingly interconnected way. It follows that personal data protection is a topical issue and must be carefully regulated.
As of May 25, 2018, with the entry into force of the General Data Protection Regulation (GDPR), data protection rules were harmonized across the EU. The new regulation contributed to increasing individuals' control over their personal data, and to businesses' and financial institutions' awareness of the value of customer data. The GDPR requires businesses and financial institutions to pay attention to the correct use of data in order to protect the rights of the data subject. Compliance with the GDPR, in fact, requires big efforts for companies operating in many economic sectors, including the financial sector.
As far as we know, there is little research on the perceptions of stock investors regarding the recent data protection regulation in Europe. We examine this topic with particular reference to the financial sector. We ask the following research question: What was the impact of coming into force of GDPR on the European financial stock market?
We find there were different reactions among four main Western European countries in the overall sample of 357 financial institutions, and we note a significant positive reaction over the event windows (-20; -1) and (0; 20), showing the following average CARs: 0.914% and 0.858%, respectively. We also analyze the potential determinants of CARs at both the macroeconomic and firm-level. We identify the following factors that may affect CARs of financial companies: economic growth (GDP), level of national consumption, size and market-to-book value of firms.
Before the GDPR, legislation frameworks were not uniform and business strategies and policies differed across Europe. Since May 25, 2018, European countries have had to converge towards new data protection standards, businesses using big data have developed a culture of compliance and improved their risk management processes, and citizens have become more aware of their data protection rights. This also holds for the financial services industry, which is characterized by a high use of technological. Creditworthiness and risk assessment, roboadvisors, and lending and payment services offered by online platforms are just a few examples of financial services using big data and technological innovation. Data are an invaluable element for a booming digital economy, and play an increasingly vital role in innovative systems and machine learning. Nevertheless, although it is progressing, convergence towards high data protection standards at the international level is still not complete. We believe that our paper provides a useful first exploration of the topic of data protection in the financial sector. However, some limitations can be recognized in our study; for example, we analyse only four European countries. Future research may examine the impact of GDPR provisions on data protection levels in financial firms, considering a wider geographical area and over a long-term horizon.