The Economic Benefits of GDPR Compliance

In 2023 the French data protection authority (CNIL) issued a joint declaration with the French competition authority (Autorité de la concurrence), titled ‘Competition and personal data: a common ambition’, regarding the economic benefits of compliance. The joint declaration starts out with the central question “how to turn consumer data protection into a competitive advantage?”. In this declaration both authorities stressed the interplay between the two areas of regulation.

Building further on this joint declaration, in 2025, the CNIL published two studies regarding the economic benefits of investing in GDPR compliance, one focusing on cybersecurity and the other one focusing on the role of the DPO. In this newsflash we will mainly focus on the publication regarding the DPO and add the findings of the publication on cybersecurity when linked. 

The study focusing on the economic benefits of the DPO, published on 23 July 2025, highlights four categories of benefits: 

• Leverage to win calls for tenders
• Avoidance of sanctions
• Avoidance of data breaches
• Rationalization of data management

In a tendering procedure, according to the CNIL, the presence of a DPO is an important vector of confidence, as the presence of a DPO reflects the candidates’ consideration of compliance issues throughout the performance of the services. The DPO plays an important role in increasing compliance with the GDPR and improving the protection of personal data. In their publication, the CNIL included a testimony of a DPO stating that his company’s chances of winning those tendering procedures increased by half. 

The second category of benefits is the avoidance of sanctions. This is a very straightforward category of ‘benefits’ for an organization as the total amount of sanctions issued by the CNIL was €55 million in 2024 and for the Belgian data protection authority the total amount in 2024 was €708,371. On a European level the total amount of fines in the EU was €1.2 billion. Companies also need to consider that public financial sanctions are always accompanied by a negative impact on the company’s image with its customers and partners. Apparently, non-compliance with a regulation that aims to increase diligence when processing personal data impacts the company’s image towards potential business partners as organizations become more and more interdependent due to the subcontracting relationships, e.g. supply chain attacks. The DPO plays an essential role in preserving the company’s reputation through its role as (i) advisor by preventing risks through data protection impact assessments, data transfer impact assessments and supplier assessments & audits, (ii) trainer to improve awareness, and (iii) internal auditor to verify the level of maturity.

Thirdly, avoiding data breaches as all cyberattacks represent a significant cost for companies. In 2024 IBM issued a report that indicated that the average cost of a data breach is approximately $5 million (€4.28 million). As with a public sanction, data breaches damage the image of an organization and research has shown that the value of the shares of large companies tend to decrease. On the other hand, data breaches could lead to identity theft where thieves can gain access to bank accounts, credit card information, PayPal accounts and shopping accounts. According to the study of the CNIL on cybersecurity, these forms of identity theft are linked to losses between €585 million and €1.4 billion at a European level, since most losses caused by identity theft are still compensated by companies themselves. The DPO has a key role in securing personal data within the company and will advise on potential security measures and participates in data protection impact assessments. The DPO also plays a vital role in all forms of awareness-raising.

Lastly, the rationalization or streamlining of data management also envisaged in the GDPR through the main principles of purpose limitation, minimization of data and limitation of retention, positively impacts the organization. Limiting the personal data, and in a broader sense data in general, to what is strictly necessary leads to operational savings regarding storage space. A testimony of a DPO of a company with a turnover of €150 million claims to save €400,000 in server costs. Limiting your organization’s collection of data means fewer entry points for cybercriminals, which can decrease the chance of a data breach happening. In general, when streamlining your data management your organization will have easier access to the relevant data, improving the efficiency of internal processes. 

Following their study, the CNIL concludes that although GDPR compliance is mandatory and is accompanied by compliance costs, compliance also comes with a return on investment. However, the DPO can only have a positive impact, when a DPO can dedicate time to their role and the organization is willing to increase their level of compliance. The CNIL also highlights a few good practices to increase the beneficial impact of the DPO:

• Involving your DPO in certain executive committee meetings to align compliance with the overall strategy of the company;
• Integrate GDPR compliance with the Corporate Social Responsibility strategy and the information systems security strategy;
• Try to quantify the economic benefits linked to the role of the DPO;
• Raise awareness across the different business lines of the value of compliance issues.