GDPR costs are forcing firms to rethink data strategies

Data protection and data storage concept image showing a hand touching an interactive display.
(Image credit: Getty Images)

The EU’s landmark General Data Protection Regulation (GDPR) is costing companies more to store and manage their data and is causing them to reduce the quantity of data they collect and store, new research indicates. 

The National Bureau of Economic Research (NBER) has issued a working paper looking into how European businesses have responded to the privacy laws just almost 6 years ago in 2018.

The paper constructed an estimate of the increased costs GDPR is incurring on firms using a production function with storage and computation as the primary inputs, estimating a 20% increase in the cost of data on average.

In addition, the authors calculated the implementation of GDPR resulted in a 4% increase in the cost of producing information.

Previous survey evidence cited in the study found GDPR compliance costs typically range from $1.7 million for small to medium-sized enterprises to $70 million for large enterprises.

The study found EU firms had adapted by decreasing their data storage by just over a quarter and their data processing by 15%, relative to comparable US firms.

Speaking to ITPro, Alasdair Anderson, VP and GM of EMEA at Protegrity, said GDPR has made data management more arduous for companies and that although the initial investment spike has subsided, costs to businesses are still high.

“GDPR has undoubtedly added complexity and cost to all businesses working with consumer data. While the investment required has flattened out since the 2018 implementation deadline, the cost of business-as-usual remains stubbornly high.”

Anderson reported he is seeing customers allocate more time and money to their data strategy, but this forced investment has resulted in them generally having better quality data and thus being better placed to take advantage of AI tools.

“Our customers are now spending more time and money on their data than ever before. As commercial investments begin to focus on the enablement of AI, we would expect to see European businesses benefit from higher-quality AI outputs from their better-quality data inputs.”

With stronger enforcement comes greater responsibility

In July 2023, the EU commission proposed a new law aimed at providing data protection authorities with more comprehensive procedural rules for enforcing GDPR in cases that span more than one member state’s jurisdiction.

David Dumont, partner at law firm Hunton Andrews Kurth LLP, told ITPro the law was an attempt to complement the original regulation and address a weakness it exhibited when applied to cross-border cases.

“The European Commission’s proposal is intended to complement, not alter, the GDPR. The aim of the proposed Regulation is to enhance the efficiency of cross-border data protection enforcement, which has been a point of criticism over the past years.”

Dumont argued, however, that the EU and relevant DPAs need to be aware of the responsibility they have when enforcing these regulations, which could result in levying multi-million dollar fines on businesses in the region

The harmonization proposed in July 2023 expanded the scope of their authority, streamlining the process for penalizing firms found to be in violation of the regulations, and authorities should be cognizant of the consequences of a successful prosecution, according to Dumont.

“With more and stronger enforcement by the data protection authorities comes greater responsibility,” he said. 

“Clear procedural rules with adequate safeguards for the defendants’ interests, such as the right to be heard and protective measures for safeguarding the defendants’ confidential information, are pivotal as organizations involved in enforcement proceedings face potentially major consequences, including multi-million euro fines which may end their business. The aim should be better enforcement instead of more.”

Solomon Klappholz
Staff Writer

Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.