SBphotos - stock.adobe.com

Is GDPR worth the cost?

Regulations have costs, which are meant to be recouped by the expected benefits. But who decides whether this is a good deal? Ultimately, it’s you

The General Data Protection Regulation (GDPR) has been in effect for one year now – perhaps long enough for us to try to work out whether it is all worth it.

That data is protected is great; that certain business models are no longer even possible is just fine – we’d all prefer that exploitative relationships are prevented. But those benefits do indeed come at a cost.

One of the annoying things about economists is that they insist absolutely everything has both benefits and costs. That is their famous “there is no such thing as a free lunch” statement. They also have a distressing insistence on reducing everything to cash amounts, their defence being that this is how we do sums – assign a numerical value to benefits, another to costs, and see which is greater. Then do the things that are worth it – those that have greater benefits than costs.

This cost/benefit analysis is most upsetting to those who have a cause because it does that evil thing of insisting that the dream be justified, and the methods used make us better off overall.

To take an example known to most of us – blood minerals, the coltan for our mobile phones mined by slaves and children under militia control in the Democratic Republic of the Congo. We all want to stop this happening and so a law was passed – part of Dodd-Frank, the bill that cleaned up the US financial system after the crash.

Anyone who used the four elements in question – tantalum, tungsten, tin and gold – had to tell people whether they had used material sourced from those child slaves. That’s all – just tell everyone what efforts you put in to make sure that you don’t.

Seems reasonable enough, except that even the SEC – the body that runs the regulatory system for the US financial markets – estimated that this would cost $4bn in the first year alone. The reason for this is that the method chosen meant every listed company should make sure, with a letter from a supplier, that the supplier did or did not use such minerals. And so on, cascading down the economy.

Given the number of suppliers to listed companies, this meant millions of letters racing around, each one costing something to prepare, send, collect and check.

There was another method available, suggested by those in the industry. There are not many refineries that can process the minerals that produce these metals – with the exception of gold – and 100 globally is a good enough estimate. We can also fingerprint ore from a mine – a local deposit has a marker in the form of trace elements that can be checked. We also check the trace elements on every batch of ore coming in because we have to analyse and check it before processing.

Match the fingerprint to the claimed source and we can reject, at the processing plant, batches that come from known slave-using deposits. This has the merit of being cost-effective and also actually works. It is the method being used to reduce the blood mineral trade, too – even as everyone has to continue writing those letters to each other.

The point of this long digression is that this is an example of the principle that something must be done, this is something, so let’s do it – which isn’t sufficient rationalisation for a course of action. That something must be done should lead to the question: well, what? And that “what” should be run through the cost/benefit analysis process. We then pick what achieves our goal at the least cost.

Cost of GDPR

This is where we come back to GDPR. The aim is that corporates cannot exploit our data. Now, I’m an extremist on such matters – I think markets can take care of this. That is not to argue that no regulation is needed, it is to insist that markets themselves can and do regulate.

The boycott of South African fruit was exactly that – consumers changing behaviour in order to regulate the world. Sure, market regulation doesn’t always work, but it can. I would argue that this market will regulate data. People who don’t want their intimate secrets sold on won’t use the services of those who do this.

I am entirely willing to admit to possible error here. Perhaps this market regulation isn’t strong enough, and legal action is necessary.

But we still face the next problem – is the legal action taken, GDPR, proportionate? That will be a matter of opinion, obviously, but to decide, we do need to know what the actual costs have been.

Read more about GDPR

The fact that the Cecil Whig, the local paper in Cecil County, Maryland, is no longer available online in the EU because of GDPR isn’t a large cost. The same happening to the Chicago Tribune is perhaps a larger one. Quantification is difficult, but there is absolutely some cost to us Europeans in having our access to 1,129 mainly newspaper websites cut off. Their owners them simply believe that doing the work required by GDPR isn’t worth it, and so they block EU-based readers.

There is also a realistic, well at least serious, estimate that GDPR compliance will cost $7.8bn just for the 500 largest global firms, and $150bn for all US firms. Microsoft alone had 1,600 engineers working on compliance.

None of this shows that GDPR isn’t worth it. The value of our data being safe, or at least handled according to the rules, could be worth this sum plus whatever other costs there are. But note what the pro-GDPR stance is insisting – that the protection of our data is worth these sums. Because that’s how a cost/benefit analysis works – to insist that the benefits of an action are larger than the costs. Also note what the anti-GDPR stance is insisting – that these costs are higher than those benefits.

Much of the above reveals that I am an extreme classical liberal, what the Americans call a libertarian. I am indeed biased on all such matters. But along with that position comes another prejudice, that only we as individuals are even capable of defining what something is worth. Only humans can assign values because there are only us humans here to assign values. Which means that it is you who decide, by definition, whether GDPR is worth it.

And do you?

Read more on Privacy and data protection