|
|
|
|
|
|
by x0x0
3051 days ago
|
|
|
No, but I have to comply with the GDPR. The first thing to understand about the GDPR is much of it is quite vague, and is essentially a framework for rule making for 30+ privacy regulators. See eg legitimate interests where you are supposed to conduct a balancing test between competing interests with very limited guidance on what a reasonable balancing test is. Second, these lazy morons haven't issued final guidance approximately three months out from the deadline. Now, there is some guidance, but there's no hard cap on the distance between working and final guidance. How they expect companies to comply with that is obvious: they don't, and will use the opportunity to fine them. The ICO has been quite explicit about this; I don't have quotes on this laptop but one of their senior staff basically said that grace periods are not part of their regulatory strategy. Grace periods are apparently only for the regulators. And that's the ICO, one of the more reasonable regulators! The french regulators, who aren't particularly reasonable, are no doubt anticipating the influx of cash. So if you're a company that is relying on some mix of legitimate interests and consent to service your customers, market, and perform outbound, it's very difficult to understand what the rules are. And this is worse if you are an American company and therefore probably don't have a lead regulator and will have to attempt to comply with the (almost certainly) conflicting rules as decided upon by every privacy regulator instead of just one. Much of the GDPR is quite reasonable (besides the DPOs, ie employment program for EU lawyers) -- privacy dashboards, the ability to delete data, SARs, etc. But it's wildly unreasonable to not have final regulations in place. |
|
|
Thank you for your thorough explanation.