How we choose to utilize digital technology has the potential to undermine the healthy functioning of democratic systems. Surveillance practices such as the tracking, collection and profiling of our online and real-world behavior pose a direct challenge to privacy rights and democratic freedoms such as fairness and anti-discrimination. This paper aims to understand how the GDPR represents risk and, in turn, how that representation shapes protection. Using Carol Bacchi's 'What's the Problem Represented to Be?' (WPR) approach to policy analysis, we illustrate how the GDPR's dual aims of protecting both people and the free flow of personal data exist in a state of tension and that the GDPR's framing of 'public interest' privileges economic growth over individual rights. Also problematic is the assumption that people are sufficiently informed to exercise control over their data, yet are being asked to agree to practices which may undermine that very autonomy.