The first unintended and unforeseen consequences of GDPR

For some, the General Data Protection Regulation requirements seem unnecessarily complicated and vague in their overall impact. 

Yet, less than a year after GDPR took effect, we see unintended and unforeseen consequences that suggest businesses of all sizes should be paying very close attention.

In a nutshell, GDPR was developed to strengthen and standardise data privacy protections for residents of the European Union. It is meant to replace the European Data Protection Directive, which was created in 1995, and it represents the most recent attempt at major EU legislation regarding how personal data privacy is handled. Compliance is paramount for anyone doing business in EU countries, and companies failing to comply face fines of up to €20 million, or four per cent of global annual revenues.

Most businesses that conduct operations of any kind in the EU know there are specific data protection rules like this in place. But when the regulation went live in May 2018, few had taken the time to understand it. A global survey sponsored by Sage, a business software provider, found that by early 2018, 91 per cent of executives in the United States and Canada lacked awareness of GDPR and more than 80 per cent didn’t fully understand its meaning for their business.

Now, we are starting to get a better feel for the differences it could bring.

Chilling investment

One of the most immediate effects appears to be a reluctance by venture capitalist firms to invest in start-ups potentially impacted by GDPR. In “The Short-Run Effects of GDPR on Technology Venture Investment,” authors Liad Wagman and Jian Jia of the Illinois Institute of Technology and Ginger Zhe Jin of the University of Maryland found a 17.6 per cent reduction in weekly venture deals since GDPR’s enactment. The amount raised in average deals also fell nearly 40 per cent, with start-ups less than three years old feeling the brunt of the decline.

While acknowledging their results are based on short-term findings (assembled from Crunchbase data), the researchers say there is enough data to conclude the most significant effects are on the tech sector. They report that a drop-off in tech investment could result in a potential loss of up to 29,900 jobs.

Wagman notes the initial findings about these consequences of GDPR aren’t entirely surprising, even if they are somewhat concerning.

“Economists have known for some time that data regulation entails trade-offs, even within the consumer population,” says Wagman, an associate professor of economics. “On the one hand, individuals may value their privacy, the security of their personal information, and the ability to more readily exercise control over their data. From that standpoint, there are benefits. On the other hand, restricting firms’ access to data can result in outcomes that consumers do not like, such as higher prices, and the short-run effects of GDPR on investment in European technology ventures appear to be negative. How these trade-offs shake out over time merits further study.”

Our view

While the idea behind GDPR is clear, the results of adhering to the new privacy policies are not. Venture capital funding, ad technology, digital marketing, and compliance software and services businesses are experiencing the first wave of changes.

It’s a question of watch this space.