What are these companies doing that makes it so hard to comply?
I've been involved in GDPR efforts at work and all the policies seem fairly straight forward to me. If you're not doing shady shit and you're upfront with your users what you are collecting the data for, how long you keep it and what access policies you have set up.
It includes liability for any and all data handed off or handled by 3rd parties. In other words, google analytics, facebook ads, salesforce customer data, mailchimp, constant contact, that really useful startup. How can you guarantee they are in compliance? If they aren't, you are now liable.
Enforcement guidelines are ill-defined, and the definition relies on vague terms. For example, is retaining an IP critical to running your business? What if you're getting DDos'd? Now it is up to someone else to make that distinction, and you're dependent on them "being reasonable."
And if IP is the only PII you keep and if you destroy IP logs after let's say 6 month and write something about that in your TOS, you're good. And even if you're not, if hey contact you and are not happy with your way of handling data, they will warn you then offer solution.
You can even self-report if you're not sure you handled the privacy well, and they will point you the stuff you have to work on (and give you month to do that).
I Understand Americans are afraid of fine and lawsuits, but please don't be afraid. Read GDPR statement from regulatory instances, they are here to help business too.
> I Understand Americans are afraid of fine and lawsuits, but please don't be afraid.
I think GDPR is short-sighted from a game theory perspective and will short-change European citizens.
When I sold software online, Europe was < 5% of my sales. Why take on business-ending liability risk for that amount of sales? Sure, maybe I'd do these things anyway, but once you open that pandora's box, you're relying on favorable interpretation and the goodwill of regulators.
Having seen what happened in the US with civil asset forfeiture, well-meaning laws can have their purpose bent, and goodwill can be perverted. Why take on that exposure?
>It includes liability for any and all data handed off or handled by 3rd parties.
Why would you hand of the data of your customers to someone that won't/can't prove to you that they will be in compliance with the current legal requirements?
Honestly that is the entire point of the GDPR, don't misuse customer data and don't hand it over to 3rd. parties unless the customer allows you to.
> It includes liability for any and all data handed off or handled by 3rd parties.
Good. Outsourcing violations, ethical or legal, shouldn't get you off the hook for them.
Besides which, what are you doing handing off stuff that's important to your business without knowing what's being done with it? Not a recipe for success. And if it's not important, then...
The policies required for PCI compliance are all straightforward too. But enforcing large sets of policies across an organization is a challenge, no matter how simple the actual policies are.
it’s a problem cos the regulation is vague and what you just said is Your interpretation of it... that doesn’t mean it would stand up in court of law...
I've been involved in GDPR efforts at work and all the policies seem fairly straight forward to me. If you're not doing shady shit and you're upfront with your users what you are collecting the data for, how long you keep it and what access policies you have set up.
Not a problem if you ask me.