Yes. That's the policy goal. Don't start businesses that are inevitably going to hurt people.
There are lots of other profitable businesses you're not allowed to start, like "an agile, disruptive restaurant that cuts costs by never cleaning" or "an investment advisor that front-runs their own customers" or "a healthcare startup that runs on unpatched Windows XP" or "a company that helps you get work visas for nonexistent jobs" or whatever.
No, they say that you can either run a fly-by-the-seat-of-your-pants startup, or handle private data, but not both at the same time.
If you want to be entrusted with people's private data, then the table stakes are much higher than simply starting a business, and you have to be prepared to invest the time and resources to do it properly, or you're not allowed to do it at all.
Don't start certain kinds of businesses without being willing to deal with the reasonable requirements of starting businesses of that kind.
If I start a biotech startup, then I need to make sure I'm keeping all health data I encounter well protected. This _does_ mean it's harder to start a business in this space—but not impossible
If you're not willing to make that tradeoff, then don't start that kind of business.
I certainly respect your desire for no businesses to have certain pieces of of your personal data, but there's a difference between "I don't want to be a customer of certain kinds of businesses" and "such businesses shouldn't exist at all".
And beside that, regulations that effectively result in prohibiting certain kinds of businesses even though they don't explicitly do so are bad regulations IMO.
> but there's a difference between "I don't want to be a customer of certain kinds of businesses" and "such businesses shouldn't exist at all".
There are companies tracking the SSID of my phone with wifi beacons to find out which stores I was physically visiting. How do I opt-out of that?
Sorry to bring the tired "you're not the customer, you're the product" line, but the way the industry is set up today, I'm starting to doubt there is so much difference between the two options.
Tracking and data collection is baked into so many services nowadays that you'd have to be extremely attentive as a consumer to avoid any tracking - also be prepared to face a lot of inconveniences and restrictions. If possible at all.
I understand your sentiment, but we’ve swung so far towards the unrelenting abuse of consumer data, I’m supportive of regulation through any means necessary.
To your point, if a business is not explicitly banned, but banned because of regulation about what that business can do, that’s exactly the sort of regulation we want. We don’t dictate your business specifically, just what you can and can’t do with the data. If you can operate within those regulations, congrats!
If you don't have basic infosec when starting a business... Don't start a business. It's 2018. Companies get hacked for a ton of reasons, it's redicolous how badly companies exploit customer data and then fail to protect it. Companies need to be held liable for that
GPDR does not, and government checklists can not, ever, cause companies to have acceptable infosec. Any attempt at security-by-bureaucracy is inherently doomed to failure. This is why business consulting groups’ “security” divisions are the butt of countless jokes among security researchers. No bureaucrat, executive, or politician can ever make enough forms and flow charts to secure data.
Don't do those things when you start a business.
But, then, don't have your business collect and process data on individuals.