Four years ago the GDPR became a compliance milestone for anyone who processes EU citizens’ personal data. While it has provided a harmonized standard for almost 500 million citizens, it has also been challenging for startups. 

GDPR was a welcomed response to the opportunities and challenges posed by the growth of digital economies and societies. The Regulation radically changed the way privacy is conceived: it harmonized and simplified rules, it gave citizens greater control over their data by establishing a wide range of easy-enforceable rights, and more generally it has led to a cultural change by making care for personal data a fundamental aspect of the business practices. GDPR’s influence has even led third countries to take it as a reference model for enacting similar legislation. 

However, not all that glitters is pure gold. For startups building novel products & services in new ways, the GDPR has been hard to understand, complex and expensive. Below are three shortcomings that we think can be improved in the future.

GDPR has introduced rules hard to understand for small players, such as the “privacy by design” principle. It means that even before commencing a business, an entrepreneur must think about how to shape all of their activities and logistics to reflect data protection compliance. This extends to all the aspects of a business such as website creation, sales, hiring, etc.

GDPR has also led to the introduction of new complexity for startups, requiring that every single action, every single choice is documented in detail for accountability purposes. This means that an entrepreneur must always be able to demonstrate from a privacy standpoint the reasons for the choices he/she has made and why he/she has decided to adopt certain practices rather than others. Given the complex documentation process, a small business has two options in order to be in full compliance: it can either resort to expensive and specialized lawyers from day one or take legal risks. 

Studies have shown compliance with GDPR has also been expensive, particularly for startups. These effects were observed both in terms of reduced profits and lower sales. Data suggests that small businesses operating in the information technology field have suffered an average of double the losses in comparison to their larger counterparts. This is precisely the sector from which we all want the challengers to big analog and digital incumbents to come from. Ultimately, as a paper by CEPR highlights, GDPR implementation raised entry barriers and caused higher concentration in the web technologies market leading to less competition and more consumers surplus depletion, as another recent survey confirms.

The GDPR is now a fact in our everyday lives, and everyone would likely agree that it has brought benefits. At the same time, Allied for Startups encourages an open reflection about what is not working well yet. Privacy and innovation are not fundamentally in conflict. Going forward Allied for Startups will work on frameworks that allow for both the protection and privacy of individuals’ data as well as the development of a thriving startup ecosystem, where all digital players, of all sizes, can compete to bring their innovation to the markets and benefit European consumers. Stay tuned!