When the European Union passed a sweeping privacy law in 2016, many worried it would be bad for business. But a new study finds that companies actually got better at running their operations because of it.

Steven Maex, an accounting professor at George Mason University's Costello College of Business, noticed something unexpected after the GDPR passed. GDPR — short for General Data Protection Regulation — is a law that forces companies to be careful about how they use people's personal information. While most discussion around such laws focuses on costs and restrictions, Maex wondered if they might also spark hidden improvements inside companies.

He spent years digging into the numbers. Using more than 28,000 firm-year observations over an eight-year period, Maex tracked what happened to companies that had to follow GDPR — specifically U.S. companies that process personal data belonging to people living in the European Union. What he found surprised him.

These companies started improving something researchers call "internal information quality" — essentially, how accurate, timely, and reliable the information is that a company's own employees use to make decisions. Maex measured this using financial reports and internal control records.

Why would a privacy law improve how companies manage information? Maex explains that when companies face rules like GDPR, they often start with what he calls an "information classification exercise." That means going through all their data and asking basic questions: What is this? Where does it live? Who can access it? This is a big project, but it gives companies a clearer picture of their most important assets.

"While such an effort can support compliance with the regulation, it also can allow the company to better control and extract value from its most important data assets," Maex said.

That clearer picture translated into real results. Companies with better internal information quality showed greater operational efficiency — meaning they got better at turning their resources into revenue.

Still, Maex is careful not to oversell the benefits. The upfront costs of complying with GDPR — building new data management systems, hiring people to oversee it all — did outweigh the efficiency gains in the first few years. But he believes the equation may shift over time. "The investments in information governance made in response to GDPR should have beneficial consequences that build over time," he said.

Looking ahead, Maex sees a bigger picture. As privacy rules spread around the world, accounting professionals may play an increasingly important role. They already help validate that service providers — like payroll companies and cloud platforms — are handling data responsibly. The American Institute of Certified Public Accountants has even expanded its reporting tools to cover data security and privacy.

For Maex, the GDPR story is really about the value of knowing what you have. "A key factor in management's ability to coordinate operations effectively is having better information to help them make decisions," he said. Sometimes, being forced to clean up your data ends up cleaning up your business too.