Even though the General Data Protection Regulation (GDPR) does not come into force until May 25, businesses and consumers have been wearily feeling its effects for some time.

GDPR is the European Union’s latest effort to protect the personal privacy of its citizens – and it comes with teeth. As a Regulation rather than a Directive, all member states, including the UK, must comply without the additional step of national ratification.

Businesses and people who don’t live or work in the EU aren’t immune. Anyone who has customers in the EU, or works with information processors in the bloc, is subject to the GDPR. In light of this, it’s a little scary to note that, as of today, 64% of US firms either don’t know or don’t care about GDPR.

The concept of privacy protection makes sense, but whenever a governmental body steps into a debate, and then regulates, there is usually collateral damage. The scope of GDPR is wide and the impacts are nuanced and complex – which means there will be winners and losers once the regulation kicks in.

Here are the likely winners to emerge under the GDPR regime:

1. At the core of the GDPR is “data protection by design and by default”, meaning that it is often not enough to retrofit legacy processes with a veneer of privacy, but instead it may be necessary to build new processes and systems or significantly redesign existing ones.

The EU claims that these changes will result in savings to businesses of more than €2.3bn a year, due to improved and simplified processes. But in the short term the costs to companies will be a lot higher than the savings, making IT vendors one of the main beneficiaries of this spending, many of whom are actively promoting their products and services, which they say comply with privacy demands.

2. Any benefit enjoyed by IT vendors is likely to be dwarfed by the benefits coming the way of the consultants who advise businesses on how to steer their way through GDPR.

Europe’s big three strategy consultants – McKinsey, BCG and Bain – and the big four implementation consultants – Deloitte, EY, KPMG and PwC – all have active GDPR practices, along with hundreds of smaller consulting firms.

3. GDPR is a legal document and as such, much of the activity around the organisational response falls to lawyers. According to Statista, 44% of companies have updated, or are in the process of updating, their contracting and data protection policies. Lawyers are in the middle of this.

By some accounts, 40% of the total GDPR compliance budgets of UK firms will be spent on legal advice alone.

4. The impact of GDPR on consumers is likely to vary a great deal. On the positive side, they will receive fewer unsolicited ads and annoying requests to attend conferences or complete surveys. On the negative side, it will be harder for them to receive personalised services. However, on balance – for the majority – the impact will be positive.

It’s expected that the risk of consumers’ personal data falling into the wrong hands will decline. And, under GDPR, consumers will have a better chance of changing or deleting data about them that is wrong.But consumers are less likely to receive messages or offers that are targeted to their needs. Most consumers will gladly accept this trade-off: Less information relevance for more privacy.

******

Here are the likely losers to emerge under the GDPR regime:

1. Organisations around Europe are currently obsessing about the fast approaching GDPR. Big headlines, such as serious violations leading to fines of up to 4% of global revenue or €20m “whichever is greater”, have dominated the conversation. But there are hundreds of smaller issues to be concerned about, too.

The scope of the legislation is likely to warrant significant changes to IT systems and operating procedures. IT, advertising and marketing functions are directly affected, but the impacts of GDPR are being felt across the value chain, from procurement to product development, HR, manufacturing and sales.

All organisations will face increased restrictions on how they can use data to build and sell products and services. Big data will become harder to monetise.

Under GDPR, the cost of doing business will increase. According to the Financial Times, Fortune’s Global 500 firms will spend a combined €6.5bn to avoid falling foul of the regulation, and that’s not including possible fines for non-compliance.

2. Advertisers, particularly those relying on online promotion, will be severely curtailed. For example, GDPR will require them to gain explicit consent for every cookie they want to use, thus affecting any media or marketing business that uses retargeting, that is, tracking consumers and reminding them through advertising of sites they have previously visited.

They will have much less freedom to combine data from different sources and build targeted campaigns to specific groups of individuals.

3. GDPR is also likely to curb the ability of digital giants such as Facebook – including its services WhatsApp and Messenger – and Google – including Gmail – to collect and use consumer data, restricting them from targeting ads based on external data.

*********

GDPR will very soon apply to all organisations operating in, or selling to, the EU. The net effect is simple: this is a shift in power from organisations to consumers. A global trend towards more enhanced privacy protection for citizens suggests that GDPR may allow compliant organisations to get ahead, providing a longer term benefit.

However, in the short term, becoming GDPR compliant is going to be an expensive and painful process for anyone who isn’t an IT vendor, a consultant or a lawyer.

This article was originally published in the Conversation. 

Michael Wade is Professor of Innovation and Strategy and Cisco Chair in Digital Business  Transformation at IMD Business School.