You probably remember May 2018. The frantic policy updates. The cookie consent banners appearing on every website. The sudden realization that “we should probably do something about this” had come too late.
GDPR changed how businesses handle data. The Digital Product Passport is about to change how businesses handle products. And the pattern looks remarkably familiar.
Les denne artikkelen på norsk 🇳🇴
The Pattern We’ve Seen Before
EU regulations follow a predictable trajectory. Years of vague discussions. Gradual policy refinement that most businesses ignore. Then sudden enforcement deadlines that trigger industrywide panic.
GDPR followed this path. The regulation was adopted in 2016, but most companies didn’t take it seriously until months before the May 2018 deadline.
DPP is following the same curve right now. The Ecodesign for Sustainable Products Regulation entered into force in July 2024. Delegated acts defining specific requirements are being adopted through 2027 and 2028. Most businesses are still in the “this probably won’t affect us” phase.
It will.
Where GDPR and DPP Compare
Both regulations affect your entire value chain. GDPR made you responsible for how your suppliers and partners handled data. DPP does the same for product information. Your compliance depends on theirs.
Both require infrastructure, not just policies. You couldn’t solve GDPR by writing a privacy policy and calling it done. You needed systems for consent management, data subject requests, and breach notification. DPP requires similar investment in product data systems.
Both have extraterritorial reach. GDPR applies to any company processing EU residents’ data, regardless of where the company is located. DPP applies to any product placed on the EU market, regardless of where it was manufactured. If you sell to Europe, you comply with European rules.
Both touch every department. GDPR wasn’t just a legal problem or an IT problem. It affected marketing, sales, HR, and customer service. DPP similarly requires coordination between product development, supply chain, compliance, and commercial teams.
Where DPP Is Different
The comparison has limits. In some ways, DPP presents challenges that GDPR did not.
GDPR was fundamentally about restricting access to information. Limit what you collect. Protect what you store. Delete what you no longer need. The goal was to hide data from unauthorized parties.
DPP inverts this logic. The goal is to expose information, to make product data transparent and accessible to consumers, regulators, and supply chain partners. Companies that spent years building walls around their data now need to build windows.
GDPR could largely be solved with documents and digital workflows. Privacy policies. Consent forms. Data processing agreements. Important, but ultimately paperwork.
DPP requires integration with physical products. Every regulated item needs a data carrier, whether QR code, NFC chip, or RFID tag, linked to a digital record containing standardized information about materials, origin, sustainability metrics, and compliance evidence. This is operational infrastructure, not documentation.
Why Small and Mid-Sized Businesses Should Pay Attention
Large corporations mobilized compliance teams and allocated substantial budgets for GDPR. They struggled, but they managed. Small and medium businesses faced the same requirements with a fraction of the resources.
A survey of European small businesses found that over half spent between €1,000 and €50,000 on GDPR compliance. Yet despite these investments, around half were still not completely sure they complied with basic requirements like describing data processing in plain language (GDPR.eu Small Business Survey, 2019).
The burden fell disproportionately on smaller players. Research analyzing firm performance across 61 countries found that GDPR’s negative impact on profits was twice as severe for small technology companies compared to the average, while large platforms saw no significant negative effects and even gained market share as smaller rivals struggled (Chen et al., CEPR, 2022).
Many small businesses ended up paying for policies they didn’t fully understand, implementing tools they couldn’t properly maintain, and hoping regulators wouldn’t notice the gaps. DPP risks repeating this pattern.
Compliance or Opportunity
Not every company approached GDPR the same way.
Some treated it purely as a compliance burden. They did the minimum required, often at the last minute, and gained nothing beyond avoiding fines.
Others recognized an opportunity. They used GDPR as a forcing function to clean up their data practices, streamline their systems, and build customer trust through genuine transparency. These companies emerged with better operations and stronger market positions.
The same divide is emerging with DPP. Companies that see it as a box to check will invest the minimum and get nothing beyond regulatory compliance. Companies that see it as infrastructure will build systems that improve operations, strengthen customer relationships, and create competitive advantages.
We’ve written extensively about these opportunities. DPP infrastructure can solve operational problems you’re already living with, from scattered product documentation to counterfeit protection to winning contracts that require sustainability credentials.
GDPR separated companies into two groups: those who checked a box and those who built something lasting. DPP will likely do the same.
Kamil Lillemoe Adamczyk, Partner at DPPA
What to Do Differently This Time
If your organization went through GDPR, you have institutional memory of what worked and what didn’t.
Use it.
Start before requirements are finalized. The general framework is clear. Product categories are identified. Timelines are published. Waiting for every delegated act to be adopted means starting when your competitors are finishing.
Choose tools over consultants. The better investment is in systems that generate ongoing value: platforms that manage product data, automate passport creation, and integrate with your existing workflows.
Build infrastructure that serves your business, not just regulators. The discipline required for DPP compliance, organizing product data, tracing supply chains, documenting materials and sustainability metrics, is the same discipline that makes businesses run better. Companies that recognize this will treat DPP as operational improvement, not regulatory overhead.
The Window Is Open
The next two years will determine which companies lead and which scramble to catch up.
If you learned anything from GDPR, it’s that early preparation beats last-minute panic. The timelines get tighter. The competitors who moved first capture the easy wins.
DPP is your second chance to get this right.
Ready to explore what Digital Product Passport means for your business? Contact us to start the conversation.