View all Articles
Commentary By Jorge González-Gallarza

As Deadline Looms, GDPR Faces Massive Compliance Tab

Economics Regulatory Policy

MADRID—As the European Union enters the homestretch to implementation of its new General Data Protection Regulation (GDPR) on May 25, regulatory cost estimates are sprouting up from all corners of industry. And yet no one knows the number of people who will be affected by the EU’s tightened privacy regime. This lack of a single, authoritative figure undermines the GDPR cost estimates.

The missing number is mostly due to the rule’s incongruous mix of complexity and lack of specificity, and of the varying scope and timelines of companies’ compliance plans. If one thing is clear, it is that GDPR compliance budgets will continue to grow until well beyond the May 25 deadline—as PriceWaterhouseCoopers found in one of its polls of US companies.

As some in Brussels would have it, "this is only the beginning.” Much of the rule’s sweeping effects are yet to come into full focus in the early months of its application—contingent mostly on the degree of enforcement of member-state Data Protection Authorities (DPAs). After surveying GDPR's basic provisions last week, I now examine further the full breakdown of costs and benefits at the micro level.

Revealingly enough, a quick survey of the opinion landscape delineates those in favor of the rule as the consulting firms, law firms, trade groups and software providers that stand to gain directly from GDPR. But the case for embracing the rule is often fraught with wishful thinking and an opportunistic reading of companies’ compliance moves.

GDPR’s purported benefits are more often than not based on shaky rationale, such as asserting that consumer trust in online vendors’ better, more transparent use of data will spur demand and investment into EU tech. The evidence on the matter, however, is scant. It shows that people are unwilling to share personal data only when a company shows a precedent of grave data breaches and mishandling of financial information.

Leaving aside the spike in contracting volumes for GDPR-compliant software companies, cloud service providers and database managers, the correlation appears even more tenuous on the investment side. In either case, there is little conclusive evidence of higher consumption and investment ushered in by the types of privacy protections enshrined in GDPR, which go well beyond the prevention and punishment of data breaches.

While most of the purported value of GDPR is yet to materialize and remains largely debatable, the wide sweep of costs is assured to keep growing beyond the May 25 deadline. The rapid cost growth is turning GDPR into a black hole of compliance spending crowding out other more productive investments, including in privacy-enhancing technologies.

In their joint Annual Privacy Governance Report of 2017, EY and the International Association of Privacy Professionals expected Fortune 500 companies to fork out $9 billion in aggregate on GDPR compliance, or $18 million per company. In a similar poll of company executives, PwC found 60 percent of their surveyed pool to be planning to spend over $1 million.

Many of these early subjective survey responses are limited to the acquisition of vital GDPR-compliant software and omit the costs of employee training and additional manpower that will follow, adding to the conservative nature of most cost estimates. As we get nearer to the finish line and through the summer, the aggregate bill can only grow.

In that spending-fueled race to compliance, US companies are well ahead of competitors, whether owing to a culture of preparedness or to the sheer volume of transatlantic e-commerce—54 percent of the EU’s digital market is made up of US-based online services. PwC found US companies to lead their UK and Japanese counterparts in GDPR readiness —77 percent of them plan to shell out over $1 million - with compliance sitting atop of their data privacy agenda for 92 percent.

The road to compliance is also fraught with inefficiencies and uncertainty. To be on the safe side, companies often engage in costly gold-plating that McKinsey estimates can add up to 80 percent of total costs. Though consultants often counsel a holistic tackling of GDPR’s requirements across several areas to save costs, compliance bills can also soar even higher when companies mesh GDPR-related initiatives with other digital priorities such as cybersecurity.

Along with the threat of penalties—that Oliver Wyman says could reach almost $7 billion a year for FTSE 100 companies in the worst case scenario of non-compliance —the largest imponderable will likely be lost investments in innovative technologies that rely on the unchecked collection and use of personal data.

No matter how hard vested interests try to whitewash the crippling costs of GDPR, it is inescapable that from machine learning and driverless cars to advances in energy efficiency and personalized healthcare, risk-takers and innovators will be severely constrained by the requirement to rationalize their use of data—including the initial design of artificial intelligence and algorithms issuing targeted ads, a provision named “right of explanation.”

In a future column, I will question the expectation that GDPR delivers a seamlessly integrated privacy regime across the entire EU and sets the tone for tougher rules globally. But for now, the evidence on costs is strikingly clear: GDPR’s heavy-handedness and vague language, combined with the menace of mammoth fines, is pushing companies toward an unbounded frenzy of compliance overhead—sometimes wasteful, seldom warranted.

Though surely draining to many firms’ treasuries, the ultimate losers will be the 315 million EU online customers whom GDPR is meant to empower. Unlike companies’ compliance tabs—which are continuing to grow, but with a finite horizon—they will be sadly shut off long-term from a large share of future digital bonanzas as global tech eyes more accessible markets.

Jorge González-Gallarza Hernández is a policy associate at Economics21. Follow him on Twitter here

Interested in real economic insights? Want to stay ahead of the competition? Each weekday morning, E21 delivers a short email that includes E21 exclusive commentaries and the latest market news and updates from Washington. Sign up for the E21 Morning Ebrief.