Home » Operations » Control & Compliance in Operations

Five unintended consequences of GDPR

GDPR will make the collection and use of data more expensive for companies and could mean the end of free search engines and music websites, meaning that, in the end, the consumer will pay. In the wake of revelations about how our personal data has been used by Facebook, Cambridge Analytica and other companies, it seems that the introduction of the EU's General Data Protection Regulation (GDPR) can't come a day too soon. The regulation clarifies the issue of who owns personal data (the individual) and who is responsible for maintaining the security and privacy of personal data of EU-based customers/clients/contacts (the organisation). So far, so good, but will GDPR also herald “the end of the free Internet”, as some have suggested? What might be the unintended consequences of the EU regulation that seeks to protect consumer privacy and clamp down on lax online data security? In his article, GDPR and the End of the Internet’s Grand Bargain, in Harvard Business Review, Larry Downes looks at how GDPR could affect both companies and consumers.

1. Boost for EU data storage firms

Downes points out that, while perfectly legal, it's more complex to comply with GDPR if your company stores data outside the EU. He writes: “While European data may still be legally stored outside of the EU, for example, it’s much easier to comply with GDPR if data remains within the borders — a boon to a fledgling European cloud services industry.”

2. Huge costs

Buying the technology to comply with GDPR represents a significant, if not huge, cost for large companies. This survey puts the cost in the region of £430,000 for FTSE350 companies, and $1 million for Fortune 500 companies. Companies may also have to appoint highly trained personnel to oversee compliance.

3. Careful what you wish for

Consumers/users/clients will have control of their personal data and will have the “right to erasure”, meaning they can at any time withdraw consent for the personal data to be held and used by large organisations. The unforeseen consequence of this is that individuals will have to deal with far more consent and authentication requests. Downes writes: “users will be barraged with interruptions to the flow of their online lives, forced to review, decide, and reconsider each element of information they enter. In economic terms, every new mandatory disclosure, user control, and privacy “dashboard” introduces transaction costs into interactions that previously didn’t have them.”

4. End of the grand bargain

Downes also argues that the current online status quo – the free use of our individual personal data in exchange for personally targeted marketing and advertising placements – is a business model that won't work as well and could even become unsustainable when large tech firms are forced to comply with GDPR. Calling this “the Internet's grand bargain”, Downes says that “the new costs and potential penalties associated with collecting, analysing, and marketing user-provided information have become unsustainable, requiring a new business model altogether”. He concludes with this sobering thought: “The age of the free and open internet may come to an end, and quickly. That may have been the true goal of many calling for “regulation” of tech companies in the first place. If so, the unintended impact on average consumers will be severe and, perhaps for many, decidedly worse than today’s admittedly messy and often leaky online experience.”

5. Good for micropayments?

Another reaction to the “end of the free Internet” could be the proliferation of micro transactions, whereby internet users are charged small amounts to use a search engine, etc. This could benefit companies processing and providing microtransaction services... in many cases the same firms (Amazon, Apple, PayPal. etc) that are the leaders in the online space.

This item appears in the following sections:
Control & Compliance in Operations

Also see


No comment yet, why not be the first?

Add a comment