Under the European Union’s General Data Protection Regulation (GDPR) U.S. compan

1. Under the European Union’s General Data Protection Regulation (GDPR) U.S. companies are projected to spend a total of $41.7 billion to achieve compliance or face a significant reduction of their market size (the EU is the second largest economy in the World). The new regulation, which just came into effect on May 25, 2018, also requires companies with over 250 employees and those handling the data of 10,000+ people to appoint a so-called “Data Protection Officer” (DPO). This person is to be responsible for overseeing the internal procedures and external communication related to data storage and protection.
2.  
3. European Union companies themselves face costs around $240 billion to prepare for the new legislation.
4.  
5. Both projections do not include ongoing costs to maintain compliance, which will include: technical expenditures, payroll for specially appointed Data Protection Officers (DPOs) and other personnel, and the additional legal and accounting expenses which will certainly follow.
6.  
7. This legislation is a perfect example of a costly, invasive, and poorly justified bureaucratic overreach. Let us examine why in a bit more detail.
8. Costs vs. Benefits
9.  
10. As with any legislation, a cost-benefits analysis may help put those numbers into perspective. After all, there are sensible laws that also cost billions to maintain but few complain about them.
11.  
12. On the official Europa.eu page on GDPR one can read that it “strengthens existing rights, provides for new rights and gives citizens more control over their personal data.”. There are benefits listed for businesses among which are the obligations to have a designated a data protection officer, to deal only with foreign companies who are GDPR compliant, to build data protection safeguards into products and services from the onset, to conduct impact assessments when data processing might be a risk, and to have extensive record-keeping for many data processing scenarios.
13.  
14. It also lists a benefit with a number to it: the standardization of laws across EU members is supposed to save an estimated €2.3 bn ($2.7 bn) per year in legal expenses.
15.  
16. It is quite easy to refute the need for these regulations.
17.  
18. First, if there was any kind of significant consumer interest in the right to be forgotten or the right to data portability then we would already have provisions for them in place, especially in huge tech companies to whom these regulations are aimed at. Imagine you are running Facebook or Google and your support staff is swamped with requests from users to download the complete dataset you have on them or to permanently delete their data. What would you do, given that the human element is the main factor constraining your profit growth?
19.  
20. That’s right: you will have your engineers automate those processes, achieving what the regulation promises and likely even more. The truth is very, very few people outside of a few dozen privacy activists and curious geeks really care about those options. The problem is blown way out of proportion, as is shown by the traffic of DuckDuckGo: the search engine which lists client privacy as its major selling point. 10 years after its inception it is still far from entering the 100 most-trafficked websites (~#300 currently, according to website measurement company Alexa), not to mention challenging the other major players in any real way.
21.  
22. Second, listing costly obligations as benefits for any kind of business can only come from bureaucrats who have not produced anything and have not managed any kind of for-profit operation in their entire lives. As such, it doesn’t deserve a second look.
23.  
24. Finally, we have the $2.7 bn saved per year, however, even we assume a 30-year lifespan for this regulation — a very optimistic prognosis given how fast technology develops, it will only save $81 bn in its lifetime, while costing the EU and U.S. a combined $281 bn only in initial compliance costs.
25.  
26. The GDPR compliance cost data is from independent research by GIGAcalculator and is based on a set of surveys among CEOs, CIOs, CTOs, and risk officers of companies regarding their GDPR compliance costs combined with extrapolation based on US and EU business census data on number and size of active businesses.
27.  
28. You can visualize the cost of this new regulation in an interactive GDPR compliance cost calculator which compares it to numbers of various goods and services that could have been bought at the same cost, be it in terms of number of new smartphones, or in terms of monthly food portions you can purchase for the poor or the number of cancer research projects you can fund. For example, one can build over 78 million houses for the poor in African countries with the funds spent on compliance.
29.  
30. Bear in mind that this is just the cost that we see. The unseen cost is the lost productivity in terms of product or services that will not be created or improved due to our brightest engineers working on GDPR-related tasks. For example, according to Bloomberg Microsoft Corp. has 300 engineers working to ensure its software is GDPR-compliant while a 15,000-employee German producer of bottling equipment has almost 60 people involved in GDPR.
31. Heavy Fines and Over-compensation
32.  
33. The GDPR brings with it heavy fines of up to 4% of global turnover or 20 mln EUR, whichever is larger, and it is applicable to all companies serving customers from the EU, regardless of their place of incorporation. This means that U.S. companies serving businesses and individuals from Europe need to change their internal operations to become compliant if they are to continue operating on the huge EU market.
34.  
35. The justification for these draconian fines is quite weak, given that for most companies the handling personal data is not the core of their business, but a mere necessity. A fine of 4% of the turnover could easily wipe out 50%-100% of the yearly operational profit of a company in an established niche. Many companies are thus likely overcompensating in their compliance efforts, leading to more expenses than necessary and procedures that create unnecessary friction for customers and contractors.
36. Invasive to Private Businesses
37.  
38. Perhaps the most worrying part of this legislation is the requirement for a designated Data Protection Officer, which is in effect the state, and in the case of a U.S. or other international business: a foreign state, imposing the creation of a company role on private establishments.
39.  
40. For someone who has grown up in post-communist country from the Soviet sphere of influence this is especially worrying as it brings memories of communist times, before the fall of the Iron Curtain. For those of you not in the know, back then almost every company in the Soviet Block had an official state / party representative appointed to its upper management, much the same way as Chinese companies today have an official representative of the Communist Party of China: “The presence of party units has long been a fact of doing business in China, where party organizations exist in nearly 70 percent of some 1.86 million privately owned companies”. Foreign companies doing business in China are not excluded from this rule.
41.  
42. It is no secret that HR departments already act in many aspects as an arm of the government inside private companies insofar as a main part of the job is not the well-being of the company but of making sure that government policies get implemented within the company. Now you will also have a DPO officer who is concerned not with the needs of paying customers, but with rules imposed by the bureaucrats in power.
43.  
44. To sum up, the GDPR is a worrying regulation not only due to dubious benefits and the huge compliance costs for companies in the EU and the U.S., but also due to its significant invasiveness in determining internal operations of companies worldwide.