Why is GDPR a mess? As an EU citizen (for the time being at least) with personal data I want to protect I'm quite happy with it.
As someone starting a startup there's compliance I need to do, and it's work for sure, but I still (again, for now) live in the EU as a citizen, and I still have personal data that I don't want to lose control of so on balance I'll take it.
article 13 is bad for sure. They don't get everything right by a long shot, but on balance I think the changes have been positive.
As a EU citizen I like my personal data protected. I left facebook and all other networks except Twitter and usually do not give data for any coupons in shops.
GDPR is a mess not from the goal but the implementation.
Currently no one knows how to implement GDPR correctly - e.g. how to exchange business cards, how to store information from sales leads etc.
Compare this with PCI compliance (which is about CC data protection) and it's very clear if you're compliant and if you are not and what to do.
For now this has no effect because data protection agencies - at least in Germany - are overloaded, but will lead to a lot of fines for companies that want to do everything the right way.
Article 13 is the same mess. Good in intention of making YT pay for the content they use and which is copyright protected, but _impossible_ to implement in it's current form.
> Compare this with PCI compliance (which is about CC data protection) and it's very clear if you're compliant and if you are not and what to do
As someone with an interest in this space, I can say that the PCI DSS is not as clear as you say - there is plenty that is ambiguous and open to interpretation, and often a pass/fail for each requirement hinges on your QSA's interpretation.
> Currently no one knows how to implement GDPR correctly - e.g. how to exchange business cards, how to store information from sales leads etc.
The only time I've seen it be a problem for people is when they are playing fast and loose with people's data.
I mean, exchanging business cards is (I would suggest) in invitation to start a conversation. I'm not personally worried about that. It's definitely not an invitation to store my data in a leads database indefinitely though.
Does not being able to indefintely store people's data in your database without getting permission first make your life harder? Good, that's the point.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
From: _Codemonkeyism@ycombinator.com
To: Bob@from.accounting
Subject: Great chat!
Hey Bob, thanks for handing me your business card the other day, can I add you to our sales database? We will contact you whenver we think we have some suitable widgets.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
From: Bob@from.accounting
To: _Codemonkeyism@ycombinator.com
Subject: Re: Great chat!
Take a hike _Codemonkeyism! / Sure, go ahead!
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Compare this with PCI compliance
I've done PCI compliance, it's largely bullshit IMO. It does certify compliance with something, but it's not a particularly useful way of working out wether a company is storing peoples data securely.
> but will lead to a lot of fines for companies that want to do everything the right way.
Well, we will have to see, but I doubt it. Sure, there will be companies that want to protect people's data, but can't for whatever reason (developer time etc.), but the solution there is "don't do it". If you can't secure people's data, don't store it. "It's a bit beyond our capabilities" isn't an excuse.
> Article 13 is the same mess. Good in intention of making YT pay for the content they use and which is copyright protected, but _impossible_ to implement in it's current form.
> The only time I've seen it be a problem for people is when they are playing fast and loose with people's data.
For sites not in the EU, see Article 27.
If you are not in the EU, and you processes personal data of people in the EU, and the processing is related to offering goods or services to those people (regardless of whether payment is required), Article 27 requires you to have a representative intheUnion.
Note: do not mix this representative up with the Data Protection Officer, which may be required by Article 37. DPOs are generally only required for pretty big data processors, and if you are required to have a DPO there is no geographic limitation on where they can be.
Article 27 doesn't apply if the processing is only occasional and doesn't involve certain especially sensitive categories, but it is not at all clear what counts as more than occasional.
Note: common system logs, such as Apache logs, include personal data (IP addresses). Logging such data is probably not a violation of GDPR, but that doesn't make it no longer count as personal data. It still counts and so you still have to follow the rules for sites that processes personal data.
It also won't apply if goods or services aren't being offered to people in the Union, but that too is unclear. You site merely being accessible from in the EU is not sufficient, but it is not clear what beyond that counts.
There is no need to be playing fast and loose with data to be totally unsure if Article 27 applies to you or not.
I sell software that is largely used for PCI Compliance, and I agree with what you say. A lot of our customers simply want "checkbox compliance" - they really don't care about increasing security, just that their QSA ticks the right box.
If the GDPR looks like a mess to you, it is because it makes it blatantly obvious and very visible how strongly the entire internet industry rejects the mere idea of privacy respecting services.
Agreed. I think it's one of the biggest privacy achievements ever. We have been seeing a tremendous normalization of defiance with how user data is frequently unknowingly misused and it's time for correcting this. GDPR is a good start, hopefully US soon follows.
That's the crux of it. It's not asking companies to do anything they shouldn't have already been doing if they were conscious about security.
The problem is it's been blown completely out of proportion to a point where by son's child minder sent out letters asking for our permission to contact us if our child is unwell (Of course she should - that isn't unsolicited contact. She was already covered!).
Not quite actually - sensible practice from a security standpoint alone (as opposed to transparency) would be to have a delete but not a download button as it would make exfiltrating data with a compromised account easier. That is the flipside of power to the user - more exploitability. I don't blame them for the goal (right to know is a valid interest for consumers) but we have to acknowledge consequences if we want to avoid future errors.
The back up clearing involved would also be a pain in the ass and boost expenses of compliance (can't just use write only storage which nicely solves other problems) but it isn't insurmountable.
> The problem is it's been blown completely out of proportion [...]
Yeah, but blame that on the lawyers who wanted to cash in on this new regulation. I think only _very few_ people/business owners actually took the time to read the GDPR and think about whether all of that even applies to them.
Most just became a victim of the fearmongering around all of that.
I've seen a lot of scaremongering but none of that was from lawyers.
My observations was most of the negativity came from a combination of the press writing slanted articles criticising the EU (which is fairly typical for anything relating to the EU, it seems) and blogs from people who assumed the worst case and subsequently wrote a hysteria-driven knee-jerk opinion piece as a result. Those blogs, I've found, are the worst examples because they're more likely to spread like a virus where people say "if they're worried then I should be to!" Where as these days people can dismiss the press a little easier if it doesn't confirm their cognitive bias.
That's just my opinion from what I've observed though. I'm not trying to claim anything as fact here.
It's absolutely not a small cost. It cost the last startup I worked for around two weeks of development time, plus in many cases it prevents us (or adds massive restrictions) on collecting contact information from leads.
It has certainly affected the bottom line of companies like Facebook and Google, but they can afford to take the hit, not all startups can.
I'm not really disagree that companies "should" do it. But I'd argue one of the many reasons we have a shortage of big tech in the EU is excessive regulation restricting our ability to scale.
I'll take my data being protected over your ability to scale any day, and remember, if a US company wants to do business with EU citizens they still need to comply.
But unlike EU startups, US startups have the advantage of only having to to comply with EU regulation when they're at scale and profitable.
I actually like GDPR and would love it if it was made law worldwide, but right now that's not the case and with being EU only it comes at the cost of EU tech. And if the EU wishes to remain economically competitive with the US in the coming decades we're going to need tech and GDPR is yet another hurdle preventing us from achieve this.
Again, I'm not really arguing what should be, but from a purely pragmatic perspective I'd argue tech regulation isn't good for the already struggling economy of the EU.
Being GDPR compliant right from the start should be seen as an advantage over competitors.
GDPR can really be reduced to "privacy by design" and "privacy by default". If your business struggles with those two principles it's a business you'll probably not need.
The question is whether those costs were just bureaucracy, or just you actually having to spend the time to be responsible with user data. In my experience, it's 90% the latter.
>It cost the last startup I worked for around two weeks of development time
You spent two weeks solving technical debt, which you had ignored because no one was forcing you to actually play nice with people's data and it was convenient to you to do.
So your old company didn't properly care about how they handled my private data and the law made them care? Should we cry at how the evil EU made them actually have to properly handle my private data? That line alone is a good showcase of why GDPR is great.
That’s a straw man. Digital privacy doesn’t have immediate public health dangers. Nobody is going to actually die if your web browsing history is mishandled.
This is exactly what I love so much about the GDPR.
It hurts and sets up barriers when you want to collect data which is not needed for fulfilling the purposes of "doing your business".
Nobody keeps you from saving contact information and communicating it in that way. But collecting all kinds of data to build profiles and get on my nerves, because I wanted to test your software is getting more and more complicated. And that's good for (end) users privacy.
Protecting your customer's privacy is already a "cost and restriction" regardless of where you live; is this how you feel about all the regulation you have to conform to if you're processing payments?
Really I would prefer the payment system was robust enough that it would do no more harm than publishing your past shopping lists but that is a separate topic.
That has always frustrated me - we have cryptographic signatures. An order should involve only an invoice signed by the end user, the merchant checking it vs your public key and then submission to the credit card processor.
Even if done with "black box calculator functions" to the end user it should be layman usable.
It applies to everyone who wants to serve EU customers.
As for startups: depending on what kind of personal data you are collecting, being GDPR complicit shouldn't take more than a day.
If it takes longer you are building a business around personal data, and I think you should know your stuff (not just GDPR, but also what kind of data you are collecting and why).
> being GDPR complicit shouldn't take more than a day.
either you're overly optimistic, or you have some 100x rock star doing the impl. because it took over 1 year to implement all of the GDPR required features for me, and we don't even store that much private data!
It took me 2 days - 1 day to research the requirements, and 1 day to make a few changes, largely simply to wording of our privacy policy.
How long it takes obviously depends on your data - but also on how important privacy and security is for you already. In my case, privacy was already important, so there wasn't much to do.
Unless you were in charge of GDPR compliance for an enterprise-size company, I don't know how you could possibly take a year about it, even if you had previously not cared a jot about your user's data?
It took me half a day: Had to download a GDPR pivacy policy template, read through the thing. Double check all the sections applied to what I was doing (cookies, etc) and fill in my details.
What have you spend 1 year doing if I may ask? Did you previously store passwords in plain text and you had to update that?
I stopped questioning downvotes. It's just plain stupid and has no reasoning after all. But people will resort to the commenting rules or something like that, because they don't understand sarcasm and think your comment is "low quality" or something like that. It's puzzling.
> If it takes longer you are building a business around personal data, and I think you should know your stuff (not just GDPR, but also what kind of data you are collecting and why).
And you should probably pause and ask whether your proposed business will provide a net benefit to the world, or if it's just an attempt to make money regardless of the consequences to society.
Not to say there aren't any worthwhile businesses to be created around personal data, but experience suggests that some skepticism is in order.
