I have already begun to hear unrest from my colleagues who work in infosec and network operations about the degradation of WHOIS, as registrars have already begun to act on their own, stripping everything and blocking bulk queriers on domains frequently used for attacks. Every day of additional uncertainty equals an additional day of victimization.
Why has no one approached the DPAs with the evidence of security purposes for WHOIS? How much network degradation will we tolerate before someone bothers to give them a little hint? How many more judgments from the DPAs are we going to read that display clear ignorance of all legitimate cybersecurity purposes? Did no one see this coming?
Since we are talking about cost benefit analysis, here is a quick one I just did that I would like to share with the group. I did a quick look for the value of the domain registration industry as a whole. Seems to be ~$4 billion. The losses incurred by the WanaCry malware are estimated to be at ~$8 billion. A single security incident destroying value equal to double your entire industry.
In May 2017, the FBI stated that over three years the "business email compromise" scams have topped ~$5 billion in losses, which would be slightly more than one domain-industry unit of value, and WHOIS is crucial to fighting it.
Remember, the whole point of GDPR is to force companies to act with more social responsibility.