Study finds GDPR reduced value but increased cybersecurity

A recent study looking at the effects of the European Union's General Data Protection Regulation found that companies required to comply with the act lost market value in the week it became enforceable but, at the same time, suffered fewer data breaches in the long term.

The GDPR, which came into effect in 2018, requires greater transparency in how firms collect consumer data by establishing clear opt-in consent for collection, imposing stricter data management and control, and assigning substantial penalties and liability risks for data processing or data flow violations. The GDPR requires any enterprise that controls or processes EU residents' data to abide by the rules, regardless of its location. Therefore, firms across the world, including those in the US, might be subject to the GDPR if they process EU residents' personal data.

The study, published in the Journal of Business Finance and Accounting, drew on a sample of 1013 U.S. firms' stock prices around the week the rules came into force, comparing those companies exposed to them with those that were not.

What the researchers found was that companies that had to comply with GDPR saw their market value drop by 0.6-1.1% - or from $42 to $76 billion in total — in the week it became enforceable. This, according to the paper, was partly related to stricter data privacy and security laws slowing firms' sales growth. The researchers also found that firms exposed to the GDPR exhibited statistically slower sales growth than those not exposed to GDPR. Those affected saw their sales grow 5.8-6.6 percentage points more slowly than control firms after the law came into effect.

At the same time, these companies invested more money in data protection than those not affected by GDPR and so were less likely to experience data breaches. This reduction was significant, preventing up to 34 million records from being leaked each year, which would have cost firms between $205 million and $561 million annually to deal with. The decrease in data breach likelihood represented 10 fewer breaches in a year. In 2023, the cost per record for a medium-sized breach (up to 101,200 records) was estimated to be approximately $165 per record, with large breaches having lower per-record estimates but elevated total economic costs.

Further, researchers found that post-GDPR, investors may react more negatively to a data breach for firms with stricter data protection requirements. The paper argued that the effect is economically significant, with a data breach being associated with up to a 5.3% drop in stock prices in the five days around the announcement of the breach compared to firms not under the regulations. These results are consistent with investors anticipating significant litigation costs associated with the fines in the case of a breach. 

 "Our findings add to the growing body of literature documenting the costs of GDPR, such as a decrease in EU venture capital investment, especially when ventures and lead investors are not in the same state or union," said Jedson Pinto, assistant professor of accounting at the University of Texas and one of the study's co-authors. "They indicate that GDPR may have changed how the market perceives these breaches, potentially changing executives' incentives to protect customer data. These results are consistent with regulations being an alternative way to address the recent concerns of data privacy and security and should be of interest to regulators worldwide that have enacted or are looking to enact laws similar to the EU GDPR."