The first unintended consequences of GDPR

For many of us, Europe's General Data Protection Regulation requirements seem unnecessarily complicated and vague in their overall impact. Yet, less than a year after GDPR took effect, we see unintended and unforeseen consequences that suggest businesses of all sizes should be paying very close attention.

In a nutshell, GDPR was developed to strengthen and standardize data privacy protections for residents of the European Union. It is meant to replace the European Data Protection Directive, which was created in 1995, and it represents the most recent attempt at major EU legislation regarding how personal data privacy is handled. Compliance is paramount for anyone doing business in EU countries, and companies failing to comply face fines of up to €20 million, or 4 percent of global annual revenues.

Most businesses that conduct operations of any kind in the EU know there are specific data protection rules like this in place. But when the regulation went live in May 2018, few had taken the time to understand it. A global survey sponsored by Sage, a business software provider, found that by early 2018, 91 percent of executives in the United States and Canada lacked awareness of GDPR and more than 80 percent didn’t fully understand its meaning for their business.

Now, we are starting to get a better feel for the differences it could bring.

Chilling investment

One of the most immediate effects appears to be a reluctance by venture capitalist firms to invest in startups potentially impacted by GDPR. In "The Short-Run Effects of GDPR on Technology Venture Investment," authors Liad Wagman and Jian Jia of the Illinois Institute of Technology and Ginger Zhe Jin of the University of Maryland found a 17.6 percent reduction in weekly venture deals since GDPR’s enactment. The amount raised in average deals also fell nearly 40 percent, with startups less than 3 years old feeling the brunt of the decline.

While acknowledging their results are based on short-term findings (assembled from Crunchbase data), the researchers say there is enough data to conclude the most significant effects are on the tech sector. They report that a drop-off in tech investment could result in a potential loss of up to 29,900 jobs.   

Wagman notes the initial findings about these consequences of GDPR aren’t entirely surprising, even if they are somewhat concerning.

“Economists have known for some time that data regulation entails trade-offs, even within the consumer population,” says Wagman, an associate professor of economics. “On the one hand, individuals may value their privacy, the security of their personal information, and the ability to more readily exercise control over their data. From that standpoint, there are benefits. On the other hand, restricting firms' access to data can result in outcomes that consumers do not like, such as higher prices, and the short-run effects of GDPR on investment in European technology ventures appear to be negative. How these trade-offs shake out over time merits further study.”

Richard Stiennon, chief research analyst at IT-Harvest in Detroit, adds that companies outside of Europe are also less likely to expand there because of GDPR—at least for now.

“If you are a startup with the latest and greatest technology in AI, machine learning, geolocation, augmented reality, or basically anything data related, you will think twice before expanding to the EU market because the risk is too high,” he says. “It’s better to wait until the dust settles and you can afford a full-time data protection officer before dipping a toe into the GDPR quagmire.”

Shrinking online ad revenues

In addition to slowing venture capital funding, there is reason to believe that GDPR could have an effect on the previously red-hot advertising technology space.

Gartner predicts that by 2023, e-privacy regulations will increase online costs by minimizing the use of cookies, thus damaging the current Internet ad revenue machine. Privacy regulations such as GDPR and the upcoming California Consumer Privacy Act of 2018 limit the use of cookies and put greater pressure on what constitutes informed consent. Individuals may not be able to just accept the use of cookies, Gartner notes. Rather, they will have to give explicit consent to what cookies track and how that information is used.

That’s a lot to ask of consumers who don’t particularly like marketers tracking them in the first place.

“None of the current nor future legislation will be a 100 percent prohibition on personalized ads,” writes Daryl Plummer, a Gartner senior vice president and chief of research. “However, the legislation does [impede] the current Internet advertising infrastructure and the players within. The current ad revenue machine is an intricate overlapping of companies that are able to track individuals, compile personal data, analyze, predict, and target advertisements. By interrupting the data flow, as well as causing some use to be illegal, the delicate balance of service and provision that has been built up over decades of free use of data is at the very least upset.”

Slowing digital transformation in marketing

Another potentially unintended consequence of GDPR is that it could affect the ability of marketers everywhere to digitally transform in ways that would enable them to deliver higher levels of customer experience.

For the past several years, analyst firms such as Forrester say we’ve entered the age of the customer, where consumer access to unlimited online data has put them in a power position to compare, contrast, and ultimately dictate how brands treat them. This has forced brands of all sizes to adopt data-based technology to better understand customers in order to compete around experience.

But with GDPR tapping the brakes on ways in which brands collect and use personal data, the onward march of corporate digital transformation could slow.

Ironically, studies have shown that customers are willing to share personal information, giving up some level of privacy in order to receive more personalized or targeted experiences from preferred brands.

According to Brian Solis, principal analyst and futurist at Altimeter and a leading voice on digital transformation and innovation, many legacy companies know they need to play to this desire for better overall experiences but are being scared away from exploring them too deeply because of GDPR.

“Companies are [reluctant] to invest in endeavors that capture and effectively utilize real-time customer signals, even though customers are willing to exchange it for real-time and long-term value,” he says. “GDPR, of course, isn’t preventing organizations from this type of engagement. But, [if these companies aren’t] willing to invest in combining GDPR protections with customer needs while operating within the lines, customers are going to find bolder, more creative and empathetic companies that do.”

Driving compliance software and services business

For those companies that still go down the path of collecting customer data in Europe, there are now many businesses offering compliance solutions to help. In fact, one potentially unforeseen result of GDPR is that large and small vendors alike are now competing in this space.

A key reason is that GDPR has plenty of stiff requirements around data security that aren’t going to be perfectly clear for the average, very busy business. For many, it’s simply more prudent and effective to outsource to security partners.

“Every technology vendor has to take GDPR into account,” says IT-Harvest's Stiennon. “That entails some onerous requirements to demonstrate that they qualify as using ‘state-of-the-art security,’ which is a problematic term that is laced throughout the GDPR document. For instance, every cloud vendor is essentially a ‘data processor.’ Because liability for fines of up to 4 percent of global revenue falls on the data collector, every processor will be asked to demonstrate that they comply with GDPR.”

Because these requirements represent a significant market opportunity for some, the GDPR compliance software and services market has jumped in recent years, with upstarts such as BigID, DPOrganizer, and Neupart competing with the likes of BMC, IBM, Microsoft, RSA, SAP, and Symantec.

As a result, the GDPR software and services markets could experience compound annual growth rates of about 22 percent to 28 percent between now and 2025, numerous reports suggest.

Obviously, this indicates businesses around the globe will be spending mightily on software and services. In fact, a PwC survey of executives from U.S., U.K., and Japanese companies doing business in the EU found that among those that were ready for GDPR, 88 percent had spent $1 million or more doing so. What’s more, nearly 70 percent said they planned to hire an outside firm to help with compliance.

Not every consequence of GDPR—unintended or otherwise—is negative. The regulation certainly addresses European sensitivities about data privacy and reels in out-of-control use of personal information. So, from that standpoint, it could go far to protect the privacy of European citizens.

For now, though, it is clear that any company conducting business in Europe will need a better understanding of the regulation’s requirements as well as the landmines and opportunities it presents.

GDPR's unintended consequences: Lessons for leaders

• Proper compliance may require using specialized external vendors.
• Marketing efforts will require more careful analysis to get full value from their execution.
• Online advertising may need to be rethought, both for process and value expectations.