GDPR: An Assessment

It has now been a bit over three years that the European General Data Protection Regulation has been in force. What has the effect been?

First, it's worth pointing out that the principles behind the GDPR sound quite reasonable and the aim of the regulation makes sense. It's obviously an issue that we give all kinds of personal data to all kinds of company and have little control over and knowledge of what happens with that data.

But what has the effect been for me as a user? The primary difference is that on almost every new website I go to, I am now shown some information first. It says something like this: For the website to work, we need to collect and use all kinds of personal data. Are you okay with this? There might also be an option to accept necessary cookies, but not accept others.

De facto, more or less everybody will just accept and use the website more or less like before. I do not have more control over my data nor knowledge of what happens with it. However, more friction has been added. If we assume that 500 million people spend 10 seconds per day on this, it ends up consuming around 500 million hours per year or cost $5 bn assuming $10/hour cost.

Of course, this does not include all the added work and processes that companies internally go through to be GDPR compliant. That cost is estimated at $320bn worldwide, equivalent to about 2% of the EU's GDP.

I'm sure there are some benefits that are not visible. And there are certainly other costs as well. But at least from my limited perspective, GDPR seems like a gigantic failure and waste of resources.