Back in 2017, researchers warned that small companies in Europe would spend an average of $550,000 to meet General Data Protection Regulation (GDPR) requirements. Now, eight years later, a new study has explored how the GDPR landscape has evolved for European businesses in 2025.

A new study, "Unlocking Growth: Exploring the Economic Impact of GDPR for Tomorrow’s Europe", by Francesco Decarolis, Full Professor at the Department of Economics at Bocconi University, and Cristiana Firullo, brings together recent findings to examine how the EU’s data protection has reshaped business and user behaviour.

The research shows GDPR improved transparency for users but increased costs and uncertainty for businesses. Studies reveal higher data management expenses, decreased investment, and slower adoption of data technologies. Drawing on over a decade of research in economics and management, the report recommends simplifying compliance requirements and applying rules more consistently across EU countries to maintain privacy protection while fostering innovation and growth. The report also shared that the companies exposed to GDPR experienced, on average, an 8% drop in profits and a 2% decrease in sales.

GDPR

Changes needed to help businesses grow and stay competitive
The study incorporates insights from business and industry experts, and recommends several key approaches to GDPR reforms, which could benefit European competitiveness:

  • Ensure that data protection regulation supports Europe's competitiveness, innovation and growth.
  • Make supporting tools, like codes of conduct and certification, simple and affordable.
  • Harmonise and apply consistently GDPR rules across EU countries.
  • Ensure there is evidence-based and targeted reform of the GDPR.
  • Simplify GDPR certification and the due diligence processes for small companies, especially those from low-risk data sectors.

What is the real-world impact of GDPR?

Professor Decarolis’ paper finds that ongoing legal uncertainty and high GDPR implementation costs challenge businesses. GDPR has expanded formal privacy protections but imposed substantial economic costs, especially on small and medium-sized enterprises and startups. Firms face ongoing legal uncertainty and high costs to comply with the GDPR, including reporting duties, investments in consent mechanisms and data minimisation processes.

While users’ rights and safeguards exist on paper, their effectiveness ultimately depends on people’s attention, and engagement. It is also the case that a significant share of personal data processing can generate direct benefits for users: greater personalisation of products and services, smoother customer interactions, and more efficient processes such as payments, deliveries, and customer support.

In addition, as several studies show, the venture capital investment and innovation in EU data-driven sectors have declined since GDPR’s introduction. EU countries enforce and interpret GDPR rules in different ways, which has weakened the "one-stop shop" system. As a result, businesses operating across borders face higher costs, and the EU's Single Market becomes less unified.