Hysteria around GDPR
Article published May 18, 2018
Within a week, the GDPR or General Data Protection Regulation will become mandatory. It seems that, unlike any other modern law, the GDPR has an interesting side effect - it caused mass hysteria in the usually rational technology sector.
This article is an attempt to calm the nerves of those who feel that (their) world is on the verge of collapse. In general, when it comes to any laws, including this, the main principle is Don't Panic . The article is intended specifically for owners of small and medium-sized companies that are active on the Internet and are now a bit shocked.
')
About me: I have been doing technical expertise for M & A deals (with a team of eight people) for about ten years. This experience, as well as the conviction that confidentiality on the Internet is worth fighting for, led me to a detailed study of the privacy policy on the Web. As a result, I now perfectly understand the impact of GDPR and I see how companies react to the new rules.
To begin with: every company, every project or hobby must comply with the law. The possibility of this usually depends on what you are doing, on your local laws and, obviously, on the laws themselves. It doesn't matter if you work for profit or pleasure, you earn pennies or billions of dollars with tens of thousands of employees. Compliance with the law - the norm. If you do business abroad, you may have to comply with the laws of another country. And given the transnational nature of the web, there is a fairly high probability that your small domain will be affected by the laws of several jurisdictions. For people from relatively minor countries (from the point of view of the authorities of the rest of the world) this is not news. They are already influenced by the laws of powerful states, and therefore they are probably well adapted. But for residents of large countries that previously could have ignored other people's laws, there is a new situation, which may require some new level of understanding.
The easiest way to come to this understanding is to realize the fact that you still must comply with a large number of laws in order to be able to work in the European market. Even a lemonade stand must comply with the following legislation:
So before, nothing was easy. Now another law has been added to the heap - and this is not the end of the world. The article is not intended for large companies, and I am not a lawyer (yes, this is one of those boring disclaimers), the text is not written in legal language. However, there will be some legal terms from the GDPR that I cannot get around. Definitions of these terms will be given immediately at the first mention, and for additional information, use your favorite (necessarily GDPR-compatible) search engine.
The first thing to understand in terms of the GDPR is the formulation “one law for all”. GDPR is written to replace its predecessor DPD (European Data Privacy Directive, European Data Privacy Directive). She had an annoying drawback - this is a toothless directive, not a strict regulation. Therefore, almost everyone ignored it. Old story: self-regulation occurs first, if it does not work, a directive appears, and if there is still no effect, then the law finally comes out with a punishment for non-compliance. As the inscription on the sign says: “You are here!”. Now, exactly seven days later, a law will come into force in us, which will already be tough and which you, for a change, cannot ignore.
Why did the panic rise? I have seen many different explanations, but most of them revolve around a rather limited number of misconceptions. I will try to examine them one by one from the point of view of a small business owner in order to reduce the emotional background to some acceptable level. First you need to debunk the delusions - this will allow you to focus in more detail on what really matters.
Well, the GDPR does have the potential to escalate to such a level, but in the spirit of good-natured European law enforcers from various agencies, first warn you that you are not abiding by the law, give a certain period of time to remedy the shortcomings, and if you ignore them, fine them. This penalty will be proportional to the crime. Of course, you can ignore the penalty, and then the consequences are unpredictable, but if you paid it and eliminated the shortcomings, you can consider the question closed. A typical EU practice in the case of repeated violations on the same issue is an increase in the fine. It can quickly increase, so most companies, as a rule, promptly correct the problem as soon as they are fined for the first time. I am sure that everything will happen exactly this way, because everything has worked so far. Each interaction with data protection agencies follows the same pattern: warning, fine, increase in fine. Not a single case is known - I would like to be surprised, but I cannot find one - when a huge fine is imposed on a company without providing an opportunity to bring the business in compliance with the law.
Note that 20 million euros or 4% of world turnover is the maximum fine. Specifically, it is defined as “a fine of up to € 20 million or 4% of the annual global turnover for the previous fiscal year for an enterprise, whichever is greater.” The maximum penalty is introduced to ensure that giants like Facebook and Google will not ignore the law, simply by paying the fine and continuing the previous practice. In no case should you think that you, the owner of a small business, will be discharged a fine of 20 million for each violation found.
According to the GDPR this is impossible, but you may be interested to know that even now anyone can sue you or your business for any reason. This is a direct consequence of commercial activity and has no relation to a specific law. GDPR allows individuals to contact their regulators and complain if you decide to ignore their requests. Therefore, if John Dow asked his data to be deleted from your server, and you sent it to hell, John has the right to warn his regulator about the likelihood that you will not comply with the GDPR. If the data protection organization in John’s country finds this to make sense, he will send you the letter mentioned above. If not, you will never hear about them. Data protection agencies will function as intermediary focal points. If you think that this is selective enforcement, you should be happy with the new law: with the introduction of the function of intermediaries, the regulatory burden is significantly reduced. This provision guarantees that citizens will not be able to use the GDPR to prosecute enterprises. Introduced a barrier before making a decision.
No, penalties will be proportionate and will be charged only after the companies have given the opportunity to correct. So it was in all EU privacy laws, and this one will not be different. EU regulators consider it their mission to enforce the law, not create a source of income.
The text of the GDPR is available in English, a typical regulator will send you a notification in a language you can understand. This is the case with all legal issues in the EU, from road fines to the Copyright Act and everything else. If the EU copes well with something, it’s working in different languages. Thus, if you receive any documents, they will be in a language that you can read, and if you cannot, then an English translation will be available to you. By the way, an example: last year in Paris I was given a parking ticket: I left the car on the wrong side of the road on a certain day. On Monday, I parked on the right side, but apparently, on Tuesday, I had to put my car on the other side, and I, like a stupid tourist, thought that everything was fine, because everyone else was also parked there. A few days later I received my coupon in the mail with a French text, an English text and — most surprisingly — a perfectly worded Dutch text with instructions on how to sue if I want to challenge the fine, and instructions on how to pay the fine, if I don’t want it to challenge
No, the GDPR requires certain positions to be guaranteed to ensure that someone is responsible for data confidentiality.
The EU tends to use fines as a means of forcing a company to comply with the law. If the company is large, with large European offices or using the EU for tax evasion, then it is rightly concerned about this particular aspect, especially if it has built its business on massive databases with profiles of EU citizens. If it is not you, then you can most likely ignore this aspect of EU legislation. But if you are Mark Zuckerberg, then I would definitely not advise you to ignore him. However, Mark's chances to read this article on my blog are zero.
Once you start doing business abroad, you will have to comply with the laws of these countries. Perhaps you were hoping for something else, but it always has been. For physical products, there are different bodies that enforce laws in other countries, including the rules of production, transportation, storage, the composition of ingredients (up to their origin), and so on, depending on the context and nature of your business. For online business, the situation has never been different. For example, you must comply with the law “On Copyright”, the laws on online gambling, the DMCA and many other laws that are essentially local in nature (although copyright laws have long been harmonized in different countries, which simplifies the situation) .
Then automate them. If you have previously been able to automate data collection, then you can definitely automate the rest of the life cycle. When it comes to getting rich pieces of data, companies do not have any insurmountable technical problems, and as soon as we are talking about removing them, we suddenly return to the Stone Age and start manually deleting data like a craftsman with a chisel and hammer, and even for a small site the work is supposed to take decades. These are crafty arguments, and if a person says this, then in general it looks pretty silly, because no one has ever complained about collecting data. In fact, there are whole armies of programmers working hard to clear data from public websites, and this is much more work than a properly adjusted life cycle of this data after the collection. So yes, it is a burden. But no, the burden is not huge, unless you explicitly make it so, but this is your problem.
Currently, the law is valid for more than two years, and DPD - the European Data Protection Directive - has been in force for more than two decades . So no, this law has not fallen on anyone, although it is possible that you only heard about it a few weeks or months (or days?) Ago. If so, don't panic anyway. Most likely , you will be all right.
Well, my site is fully consistent with the law, so at least here the law seems to work. Why? Because I do not store any information about you. This is a conscious choice on my part, which I made long before the GDPR began to discuss at all. But if you have a more difficult situation, you can also become compatible, or at least — and this is the main thing — you can try . For example, it is often argued that no web server (or even an Internet service) can be compatible, because all web servers register IP addresses, and IP addresses are PII. But this argument does not hold water. There are several reasons, here are the main ones: web servers register only IP-addresses, if you configured them this way. Almost all web servers have a formatting option that determines what is being registered — and you can configure your web server to register not the entire address, but only the network mask. You also have the opportunity to keep logs and disclose in the privacy policy that you do this. But then you have to allow the deletion of these data on request, which can be burdensome (or not, it depends on the volume of such requests). Finally, you may have a legitimate reason for registering IP addresses, provided that you delete them after use. GDPR allows you to store the address for 30 days with a possible extension for another 60 days, after which an automatic reply is sent to the user that his IP address is deleted - this is enough to comply with the law. This is one of the reasons why I think that the GDPR is a surprisingly good law. In most cases, technology laws are ultimately completely inoperative, and here most of the scenarios seem to work well for all parties involved.
I'm terribly sorry to hear that. But think about this: the law is written with the explicit goal of curbing some of the most serious breaches of EU citizens' privacy on the Internet. If compliance with the law leads to the fact that your business will become unprofitable, then it is as if to confess that your business is built on gross breaches of confidentiality. If this is the real business model, then a tablecloth is dear to you and your company. But if the business model is not so, then most likely everything will be in order.
Because you want to do business in the EU. Many laws with transboundary action have been created for this, but the harmonization of legislation between countries shows that people do not always understand the transboundary nature of laws. DMCA is a good example. In addition, confidentiality is a rather hot topic, and there is hope among human rights defenders that the EU is paving the way here, and the rest of the countries will follow the example.
The fact that you or your company does not have representation in the EU does not mean that you can ignore the law. If you could ignore it, it would automatically put those who play by the rules at a disadvantage. You ignore the law at your own risk.
This is so far-fetched that it's just ridiculous. The EU does not act this way, and in general, why would you knowingly violate the law and continue to do it after you learned about it? I have not heard of a single person who at breakfast in the bed of a French inn during a well-deserved vacation was raised and taken away in handcuffs. Perhaps you will be the first. If this happens, let me know - I will visit you in prison, and maybe even transfer a few dollars to the defense fund. (Sorry for the frivolous tone in this section, but such fears really irritate me. The only such case that I know about was the American arrest of David Carraters from betonsports.com). [Probably, the author does not know about the numerous detentions of Russian hackers while on holiday abroad - approx. trans.]
In this case, please close the site or do not serve customers from the EU. But keep in mind that 1) you leave a good field for a competitor, and 2) you are probably doing something that you shouldn’t, so I would say that the law works as intended.
With the release of this law, I was really surprised how easy it is to read. It is not particularly large and uses mostly simple language, and usually (but not always, and this is a valid complaint) defines terms. This is especially annoying (which is understandable) in determining what size a company should take certain measures. I understand the complaints and understand the position of the legislators - it could probably be spelled out more clearly. But there were good reasons to leave such language, the reasons for which I hope to tell later.
Okay. Goodbye. But make sure you really understand the risks. And please understand that it may be difficult to block Europeans safely and get out of the law. You need to understand that many other European laws may apply for you. In this regard, the new law is no different from others. You pay for using the Internet as a global global platform by interacting with the jurisdiction of each country where you do business.
This time, the lawmakers understood the potential problem - and in fact warned her. I suspect that the “cookie law” fiasco made them realize that companies are not shy about such things at all - and are happy to blackmail users, forcing them to agree with what they would prefer to disagree with, for the sake of online interaction.
From what I have seen in my practice over the past couple of years, the burden is roughly proportional to three things:
In fact, the burden of a large company that owns huge amounts of confidential data is likely to be very large. The load on a small company that owns small amounts of non-confidential data will be very low or even zero.
Text is easily accessible. Although in reality there are no full-fledged certification programs, but over time they will also appear. In a sense, such programs are not enough: it would be nice to be able to say: "We comply with the law, because we have an icon from such a certification authority." But at the same time, the lack of certification requirements is actually done with a long-range sight - for the sake of reducing the burden on small companies.
In any case, now you understand the essence. Each of these misconceptions is like dry slivers in the hands of those who want to burn the GDPR on the good old bonfire - it instigates panic on others and is generally not conducive to discussion. As a rule, statements are made by people who are really not in the subject or whose business depends on the ability to violate the privacy of other people. They hope that by kindling this fire they will be able to raise a wave against the GDPR, they want to play politics. As we all know, in our time, politics operates in areas where facts are missing, so everything is according to plan. With this in mind, let's look at some of the real consequences of the GDPR, at what level are you most likely to be confronted with the requirements of the law and how, in my opinion, the situation will develop.
“Hysteria around GDPR, part 2. Useful tips”
Within a week, the GDPR or General Data Protection Regulation will become mandatory. It seems that, unlike any other modern law, the GDPR has an interesting side effect - it caused mass hysteria in the usually rational technology sector.
This article is an attempt to calm the nerves of those who feel that (their) world is on the verge of collapse. In general, when it comes to any laws, including this, the main principle is Don't Panic . The article is intended specifically for owners of small and medium-sized companies that are active on the Internet and are now a bit shocked.
')
About me: I have been doing technical expertise for M & A deals (with a team of eight people) for about ten years. This experience, as well as the conviction that confidentiality on the Internet is worth fighting for, led me to a detailed study of the privacy policy on the Web. As a result, I now perfectly understand the impact of GDPR and I see how companies react to the new rules.
To begin with: every company, every project or hobby must comply with the law. The possibility of this usually depends on what you are doing, on your local laws and, obviously, on the laws themselves. It doesn't matter if you work for profit or pleasure, you earn pennies or billions of dollars with tens of thousands of employees. Compliance with the law - the norm. If you do business abroad, you may have to comply with the laws of another country. And given the transnational nature of the web, there is a fairly high probability that your small domain will be affected by the laws of several jurisdictions. For people from relatively minor countries (from the point of view of the authorities of the rest of the world) this is not news. They are already influenced by the laws of powerful states, and therefore they are probably well adapted. But for residents of large countries that previously could have ignored other people's laws, there is a new situation, which may require some new level of understanding.
The easiest way to come to this understanding is to realize the fact that you still must comply with a large number of laws in order to be able to work in the European market. Even a lemonade stand must comply with the following legislation:
- food safety laws
- business laws
- municipal law
- administrative law
- labor law
- possibly other regulations
So before, nothing was easy. Now another law has been added to the heap - and this is not the end of the world. The article is not intended for large companies, and I am not a lawyer (yes, this is one of those boring disclaimers), the text is not written in legal language. However, there will be some legal terms from the GDPR that I cannot get around. Definitions of these terms will be given immediately at the first mention, and for additional information, use your favorite (necessarily GDPR-compatible) search engine.
The first thing to understand in terms of the GDPR is the formulation “one law for all”. GDPR is written to replace its predecessor DPD (European Data Privacy Directive, European Data Privacy Directive). She had an annoying drawback - this is a toothless directive, not a strict regulation. Therefore, almost everyone ignored it. Old story: self-regulation occurs first, if it does not work, a directive appears, and if there is still no effect, then the law finally comes out with a punishment for non-compliance. As the inscription on the sign says: “You are here!”. Now, exactly seven days later, a law will come into force in us, which will already be tough and which you, for a change, cannot ignore.
Why did the panic rise? I have seen many different explanations, but most of them revolve around a rather limited number of misconceptions. I will try to examine them one by one from the point of view of a small business owner in order to reduce the emotional background to some acceptable level. First you need to debunk the delusions - this will allow you to focus in more detail on what really matters.
- I will be fined up to 20 million euros for the slightest violation of the GDPR
Well, the GDPR does have the potential to escalate to such a level, but in the spirit of good-natured European law enforcers from various agencies, first warn you that you are not abiding by the law, give a certain period of time to remedy the shortcomings, and if you ignore them, fine them. This penalty will be proportional to the crime. Of course, you can ignore the penalty, and then the consequences are unpredictable, but if you paid it and eliminated the shortcomings, you can consider the question closed. A typical EU practice in the case of repeated violations on the same issue is an increase in the fine. It can quickly increase, so most companies, as a rule, promptly correct the problem as soon as they are fined for the first time. I am sure that everything will happen exactly this way, because everything has worked so far. Each interaction with data protection agencies follows the same pattern: warning, fine, increase in fine. Not a single case is known - I would like to be surprised, but I cannot find one - when a huge fine is imposed on a company without providing an opportunity to bring the business in compliance with the law.
Note that 20 million euros or 4% of world turnover is the maximum fine. Specifically, it is defined as “a fine of up to € 20 million or 4% of the annual global turnover for the previous fiscal year for an enterprise, whichever is greater.” The maximum penalty is introduced to ensure that giants like Facebook and Google will not ignore the law, simply by paying the fine and continuing the previous practice. In no case should you think that you, the owner of a small business, will be discharged a fine of 20 million for each violation found.
- GDPR will allow anyone to sue me, even from abroad
According to the GDPR this is impossible, but you may be interested to know that even now anyone can sue you or your business for any reason. This is a direct consequence of commercial activity and has no relation to a specific law. GDPR allows individuals to contact their regulators and complain if you decide to ignore their requests. Therefore, if John Dow asked his data to be deleted from your server, and you sent it to hell, John has the right to warn his regulator about the likelihood that you will not comply with the GDPR. If the data protection organization in John’s country finds this to make sense, he will send you the letter mentioned above. If not, you will never hear about them. Data protection agencies will function as intermediary focal points. If you think that this is selective enforcement, you should be happy with the new law: with the introduction of the function of intermediaries, the regulatory burden is significantly reduced. This provision guarantees that citizens will not be able to use the GDPR to prosecute enterprises. Introduced a barrier before making a decision.
- Draconian size fines are imposed without warning.
No, penalties will be proportionate and will be charged only after the companies have given the opportunity to correct. So it was in all EU privacy laws, and this one will not be different. EU regulators consider it their mission to enforce the law, not create a source of income.
- GDPR will require review of complaints / documents in 28 different languages
The text of the GDPR is available in English, a typical regulator will send you a notification in a language you can understand. This is the case with all legal issues in the EU, from road fines to the Copyright Act and everything else. If the EU copes well with something, it’s working in different languages. Thus, if you receive any documents, they will be in a language that you can read, and if you cannot, then an English translation will be available to you. By the way, an example: last year in Paris I was given a parking ticket: I left the car on the wrong side of the road on a certain day. On Monday, I parked on the right side, but apparently, on Tuesday, I had to put my car on the other side, and I, like a stupid tourist, thought that everything was fine, because everyone else was also parked there. A few days later I received my coupon in the mail with a French text, an English text and — most surprisingly — a perfectly worded Dutch text with instructions on how to sue if I want to challenge the fine, and instructions on how to pay the fine, if I don’t want it to challenge
- GDPR will require staffing and my organization is too small to afford it
No, the GDPR requires certain positions to be guaranteed to ensure that someone is responsible for data confidentiality.
- Faceless bureaucrats will use selective law enforcement of the GDPR to fill the EU treasury at the expense of foreign companies
The EU tends to use fines as a means of forcing a company to comply with the law. If the company is large, with large European offices or using the EU for tax evasion, then it is rightly concerned about this particular aspect, especially if it has built its business on massive databases with profiles of EU citizens. If it is not you, then you can most likely ignore this aspect of EU legislation. But if you are Mark Zuckerberg, then I would definitely not advise you to ignore him. However, Mark's chances to read this article on my blog are zero.
- EU too far. As a foreigner, I just keep my local laws and ignore the rest.
Once you start doing business abroad, you will have to comply with the laws of these countries. Perhaps you were hoping for something else, but it always has been. For physical products, there are different bodies that enforce laws in other countries, including the rules of production, transportation, storage, the composition of ingredients (up to their origin), and so on, depending on the context and nature of your business. For online business, the situation has never been different. For example, you must comply with the law “On Copyright”, the laws on online gambling, the DMCA and many other laws that are essentially local in nature (although copyright laws have long been harmonized in different countries, which simplifies the situation) .
- Processing all of these requests from end users will be a huge burden.
Then automate them. If you have previously been able to automate data collection, then you can definitely automate the rest of the life cycle. When it comes to getting rich pieces of data, companies do not have any insurmountable technical problems, and as soon as we are talking about removing them, we suddenly return to the Stone Age and start manually deleting data like a craftsman with a chisel and hammer, and even for a small site the work is supposed to take decades. These are crafty arguments, and if a person says this, then in general it looks pretty silly, because no one has ever complained about collecting data. In fact, there are whole armies of programmers working hard to clear data from public websites, and this is much more work than a properly adjusted life cycle of this data after the collection. So yes, it is a burden. But no, the burden is not huge, unless you explicitly make it so, but this is your problem.
- The law suddenly fell on us, there is absolutely no way to prepare for it in a week.
Currently, the law is valid for more than two years, and DPD - the European Data Protection Directive - has been in force for more than two decades . So no, this law has not fallen on anyone, although it is possible that you only heard about it a few weeks or months (or days?) Ago. If so, don't panic anyway. Most likely , you will be all right.
- Unable to comply with this law
Well, my site is fully consistent with the law, so at least here the law seems to work. Why? Because I do not store any information about you. This is a conscious choice on my part, which I made long before the GDPR began to discuss at all. But if you have a more difficult situation, you can also become compatible, or at least — and this is the main thing — you can try . For example, it is often argued that no web server (or even an Internet service) can be compatible, because all web servers register IP addresses, and IP addresses are PII. But this argument does not hold water. There are several reasons, here are the main ones: web servers register only IP-addresses, if you configured them this way. Almost all web servers have a formatting option that determines what is being registered — and you can configure your web server to register not the entire address, but only the network mask. You also have the opportunity to keep logs and disclose in the privacy policy that you do this. But then you have to allow the deletion of these data on request, which can be burdensome (or not, it depends on the volume of such requests). Finally, you may have a legitimate reason for registering IP addresses, provided that you delete them after use. GDPR allows you to store the address for 30 days with a possible extension for another 60 days, after which an automatic reply is sent to the user that his IP address is deleted - this is enough to comply with the law. This is one of the reasons why I think that the GDPR is a surprisingly good law. In most cases, technology laws are ultimately completely inoperative, and here most of the scenarios seem to work well for all parties involved.
- Compliance with this law will result in my business becoming unprofitable.
I'm terribly sorry to hear that. But think about this: the law is written with the explicit goal of curbing some of the most serious breaches of EU citizens' privacy on the Internet. If compliance with the law leads to the fact that your business will become unprofitable, then it is as if to confess that your business is built on gross breaches of confidentiality. If this is the real business model, then a tablecloth is dear to you and your company. But if the business model is not so, then most likely everything will be in order.
- This is unfair: I have no representation in the EU, because I am not from there, why should my company comply?
Because you want to do business in the EU. Many laws with transboundary action have been created for this, but the harmonization of legislation between countries shows that people do not always understand the transboundary nature of laws. DMCA is a good example. In addition, confidentiality is a rather hot topic, and there is hope among human rights defenders that the EU is paving the way here, and the rest of the countries will follow the example.
The fact that you or your company does not have representation in the EU does not mean that you can ignore the law. If you could ignore it, it would automatically put those who play by the rules at a disadvantage. You ignore the law at your own risk.
- I do not want to be arrested for violations of the GDPR when I go on vacation to Europe (yes, I really saw it)
This is so far-fetched that it's just ridiculous. The EU does not act this way, and in general, why would you knowingly violate the law and continue to do it after you learned about it? I have not heard of a single person who at breakfast in the bed of a French inn during a well-deserved vacation was raised and taken away in handcuffs. Perhaps you will be the first. If this happens, let me know - I will visit you in prison, and maybe even transfer a few dollars to the defense fund. (Sorry for the frivolous tone in this section, but such fears really irritate me. The only such case that I know about was the American arrest of David Carraters from betonsports.com). [Probably, the author does not know about the numerous detentions of Russian hackers while on holiday abroad - approx. trans.]
- My business cannot comply with this draconian and burdensome law.
In this case, please close the site or do not serve customers from the EU. But keep in mind that 1) you leave a good field for a competitor, and 2) you are probably doing something that you shouldn’t, so I would say that the law works as intended.
- The law is so complex that it is impossible to understand
With the release of this law, I was really surprised how easy it is to read. It is not particularly large and uses mostly simple language, and usually (but not always, and this is a valid complaint) defines terms. This is especially annoying (which is understandable) in determining what size a company should take certain measures. I understand the complaints and understand the position of the legislators - it could probably be spelled out more clearly. But there were good reasons to leave such language, the reasons for which I hope to tell later.
- I can not afford the risks associated with this law, so I will close the site or block the Europeans
Okay. Goodbye. But make sure you really understand the risks. And please understand that it may be difficult to block Europeans safely and get out of the law. You need to understand that many other European laws may apply for you. In this regard, the new law is no different from others. You pay for using the Internet as a global global platform by interacting with the jurisdiction of each country where you do business.
- Users should be able to refuse to comply with the law so that I can ignore it.
This time, the lawmakers understood the potential problem - and in fact warned her. I suspect that the “cookie law” fiasco made them realize that companies are not shy about such things at all - and are happy to blackmail users, forcing them to agree with what they would prefer to disagree with, for the sake of online interaction.
- For large companies, the load is manageable, for small companies it is too heavy
From what I have seen in my practice over the past couple of years, the burden is roughly proportional to three things:
- The amount of data at your disposal.
- The number of employees in your company.
- The type of data you control.
In fact, the burden of a large company that owns huge amounts of confidential data is likely to be very large. The load on a small company that owns small amounts of non-confidential data will be very low or even zero.
- No one knows what GDPR really means
Text is easily accessible. Although in reality there are no full-fledged certification programs, but over time they will also appear. In a sense, such programs are not enough: it would be nice to be able to say: "We comply with the law, because we have an icon from such a certification authority." But at the same time, the lack of certification requirements is actually done with a long-range sight - for the sake of reducing the burden on small companies.
In any case, now you understand the essence. Each of these misconceptions is like dry slivers in the hands of those who want to burn the GDPR on the good old bonfire - it instigates panic on others and is generally not conducive to discussion. As a rule, statements are made by people who are really not in the subject or whose business depends on the ability to violate the privacy of other people. They hope that by kindling this fire they will be able to raise a wave against the GDPR, they want to play politics. As we all know, in our time, politics operates in areas where facts are missing, so everything is according to plan. With this in mind, let's look at some of the real consequences of the GDPR, at what level are you most likely to be confronted with the requirements of the law and how, in my opinion, the situation will develop.
“Hysteria around GDPR, part 2. Useful tips”
Source: https://habr.com/ru/post/359014/
All Articles