GDPR has cost businesses an 8.1% decline in profit and a 2.2% drop in sales, according to a new estimate by researchers at the Oxford Martin School. Although the study does not estimate the positive impact of GDPR, it raises the question of whether the regulation’s benefits justify these costs.
What has GDPR cost businesses?
In order to estimate the economic impact of the EU’s General Data Protection Regulation, Carl Benedikt Frey and Giorgio Presidente of the Oxford Martin School assessed the sales and profits of companies doing business in the EU before and after GDPR was enacted in 2018.
When controlling for external factors such as economic and industry fluctuations, they estimate that the average company affected by GDPR has suffered an 8.1% drop in profit and a 2.2% decline in sales.
The researchers had hypothesised that GDPR might impact businesses in two ways: by increasing compliance costs, and by dampening e-commerce demand. The fact that the impact on profits was larger indicates that the former is more pronounced. "The effect on profits is much larger than the effect on sales," explains Frey. "That means most of [the negative impact] comes from the costs of adjusting to the GDPR."
Although the study does not reveal what kind of costs businesses have incurred as a result of GPDR, "we suspect that part of it is that companies need GDPR-compliant technologies," Frey explains. "Most companies have bought them, but some have developed their own technologies too."
Frey says this is borne out in an acceleration of patents for GDPR-related technologies, such as data consent managers and GDPR-compliant blockchain technology.
How has GDPR affected Big Tech?
GDPR has not affected all companies equally. Frey and Presidente's study found that the drop in both profits and sales was greater for small businesses. This discrepancy was especially pronounced in the IT sector: large IT firms suffered a 4.6% drop in profits since GDPR's introduction, compared to a 12.% drop for small IT firms.
This suggests that, whatever its impact on Big Tech's use of personal data, GDPR is likely to have added to the tech giants' dominance of the digital economy, says Frey. "Regardless of the benefits are to consumers, it seems that [GDPR] has led to greater market concentration. It has benefitted bigger technology companies at the expense of smaller ones."
Big Tech firms already had the resources and technical skills to be GDPR compliant, Frey says, and there is evidence that they are more adept at securing their customers' consent to use their personal data. Furthermore, the Big Tech firms lobbied the EU heavily when it was shaping GDPR. "Smaller companies are generally not at the table when new technology regulations are being devised," he says.
What are the benefits of GDPR?
Frey and Presidente's study does not attempt to quantify the beneficial impacts of GDPR. But estimating the costs provokes the question of what those benefits have been so far.
Caitlin Fennessy, VP and chief knowledge officer at the International Association of Privacy Professionals, says the EU regulation has "undoubtedly increased attention to data protection at organisations around the world.”
"GDPR’s requirement to appoint a data protection officer strengthened privacy in practice by ensuring that organisations [appointed] individuals to consider the privacy implications of technologies and services," she says. "In the first year of GDPR, approximately 500,000 organisations registered a data protection officer with one of the EU’s data protection authorities."
The EU's lead has been followed by countries around the world, she adds. "In the years since GDPR’s adoption, countries around the world have adopted new data protection laws, replicating many of GDPR’s protections, including its requirement to appoint a data protection officer."
But not everyone believes that GDPR has been beneficial for consumers. In a survey of data protection and compliance officers in Ireland in December last year, 69% agreed that GDPR has been beneficial for individuals, down from 83% in 2020. The same proportion (69%) believe that compliance with GDPR "places an excessive administrative burden on organisations", up from 53% the year before.
A 2020 survey of UK businesses, commissioned by the Department for Digital, Culture, Media and Sport (DCMS), found that GDPR had succeeded in encouraging businesses to improve their cybersecurity. However, large businesses were more likely to have made positive changes than SMEs.
Many respondents to the DCMS study reported negative impacts from GDPR: 50% agreed that GDPR had led to excessive caution among staff in the handling of data, while 78% of board members said that cybersecurity updates had become more focused on data protection than general cybersecurity.
Homepage image by BeeBen14 / iStock