One request I have (to anyone out there who is listening) is a checklist focused on common small business tools and workflows.
For example, if I use Google Analytics on my website, or I advertise on Facebook and use the Facebook tracking on my website, do I need to do anything to be compliant. Same question for Mailchimp mailing lists, Square payments, Shopify e-commerce, etc etc. I get these questions from friends and clients all the time, and I struggle to give them a clear answer. I'm sure specialized consultants could, but small businesses often can't afford those.
Most of the resources I see are either aimed at larger companies, or tech startups. But the people most badly in need of guidance are neither.
If you use these you can do two things:
1. avoid sending GA events with user data in them (e.g. user ID).
2. ensure your site doesn't have pages containing personal data in the URL path
Squarespace, Shopify, MailChimp, as hosts, should be providing their own customers with guidance for each case.
Unfortunately, as far as I've seen from Google, the guidance they're providing on GA seems to basically amount to "if you use our service, it's your responsibility to audit what you send to us", and not much else. Which is... disappointing but unsurprising.
Still, the world needs more clarity on GDPR, and this helps.
In other words, if you don't need a DPO you definitely shouldn't just appoint somebody because that feels like the right thing to do.
Am I reading this wrong? It seems like if every country adopted laws like this, so you would need to have ~200 different representatives across the globe to have any kind of online business.
It's like handling mail to abuse@<domain>. You sort of have to do it, but noone forces you to have different employees handle mail to abuse@<each domain>, or to have people in different countries do it. The people who force you to handle abuse@<domain> may or may not have the power to make you do it, which is another similar aspect.
What you can not do is answer the phone and say "uh, I'm not sure who's in charge of that... let me put you on hold..."
I run a site targeted at north americans. However, each year I usually get 1-2 sales within Europe (mostly UK), and a very small number of visitors from EU countries.
EU is basically inconsequential revenue for me. What would be the minimum required?
1. Shut off sales to EU, or
2. Shut off free account creation and/or email list signup to EU + shut off google analytics for EU, or
3. Block all EU IPs
It's not worth figuring out how to comply. I make less than $500 from the EU each year.
"Ignore it" doesn't seem like a good move as the fine is very large.
In my company (Germany) we work together with an external data protection officer, who was of great help for us dealing with the GDPR requirements. So maybe you find it worth talking to one, just to get a better understanding of the matter.
There are few examples in the law of what visibly means, such as having prices in euro or having EU contact numbers...
Two notable points:
1. It is relatively short and well-categorised. I've seen scare-mongering blogposts exhaustively listing all the worst-case edge cases you could possibly have to consider, whereas this is a common-sense high-level overview.
2. There are links to relevant articles on each point to provide quick clarity. For example: "Your company has appointed a Data Protection Officer (DPO)" links to Article 37 which clarifies that this requirement is only for "public authority or body"; "regular and systematic monitoring of data subjects on a large scale"; or "processing on a large scale of special categories". Other similar clarifications for the other points are helpful too.
If in the future you want to expand to the EU, and can afford it, it would be nice not to already have a bad relationship with their regulators.
how do you explain to a 7year old how you handle data in mysql (which is mentioned in another point) or how do you do it for a 13 year old? actually how do you do it for 33 year old?
i’d love to see examples of this.
A productive approach to a real problem people have.