[tyler_larson]

The GDPR was specifically sold as limiting the things that well-known US tech companies (Facebook, Google, Twitter, etc.) can do with respect to EU citizens. The sad irony is that only well-resourced tech companies with a small army of lawyers and a large army of programmers can afford to be GDPR compliant.

The sort of unintuitive machinations it takes to maintain honest compliance while providing useful services is kind of mind-blowing. Every bit of it that I've delt with has left me depressed about what this will do to small companies and innovation. Facebook will have no trouble at all being GDPR compliant, but your average 50-person startup or small-town business hasn't got a chance.

[geocar]

I’m currently doing some GDPR consulting for an American company.

I don’t think the GDPR is as difficult as you suggest. The biggest problem companies seem to struggle with is this idea that the personal data they keep isn’t theirs and they need to protect it like anything else in their possession that isn’t theirs.

Then, there’s also the issue that Americans aren’t used to the idea that a European court might think they’re in their jurisdiction, and they don’t know how to interact with a European court. Treating them as adversaries (as is often done in the USA) doesn’t go well. The courts basically decide if you fucked up and did harm that you could’ve prevented, and not if you were technically against the law.

Are you treating someone’s personal data the way they would want you to?

Really?

If so then you’re probably better than 90% of the way there.

[Silhouette]

I don’t think the GDPR is as difficult as you suggest. The biggest problem companies seem to struggle with is this idea that the personal data they keep isn’t theirs and they need to protect it like anything else in their possession that isn’t theirs.

You keep writing things like this, and I'm not going to just post the same reply every time, so let's try another one here.

Let us assume for the sake of debate that Privacy Shield will at some point be struck down by the courts, like Safe Harbor before it, since the fundamental objections involving US government access have not changed.

At that point, please explain the conditions under which an EU business can share PII with a US business without violating the GDPR.

[smu]

Sure thing, that's described in articles 44-50. In short:

1) if the EU has declared a country "adequate", you can transfer data (there is a list of adequate countries. Canada is on it, the US with Privacy Shield too)

2) in absence of an adequacy decision, there are other possibilities: binding corporate rules (internal rules for data transfers within multinational companies[1]), contractual arrangements (for example, the EU approved clauses), adherence to a code of conduct with a binding commitment (look at this like some kind of "privacy certification")

3) Finally, if the above are not possible, a transfer is still possible if the subject gives consent after being informed of all risks.

So, for the sake of debate: I would go with either binding corporate rules (in case of a multinational) or contractual arrangements.

[1] https://ec.europa.eu/info/law/law-topic/data-protection/data...

[Joeri]

This is exactly the sort of scaremongering this article was trying to address.

Being compliant is about not abusing personal data. I think small companies will find that much easier to do than bigcorps whose business model is based on privacy invasion, like facebook or google.

[rahoulb]

Are you careful and open about what you do with personal data you have collected? You'll be fine.