[sandstrom]

Small nimble companies will have a (relatively) easy time supporting GDPR. I work at a small european tech company with lots of personal information.

Sure, there is some hassle but we’ll be able to adjust with a few weeks of work. Larger companies with more legacy stuff will have a harder time.

Also, the law is easy to read and quite sensible. Plus it’s great for consumers!

[dogma1138]

Larger companies are much more used to dealing with regulatory requirements.

They have huge legal teams and can hedge their risk and they have a relationship with the regulators.

Legacy software is actually a huge plus for the GDPR currently people might laugh at companies that run MSSQL or Oracle but all the major storage and backup solution vendors support record level backups for the database which means that it's easy to purge or anonymise a purged record, it also means that dealing with backups is now a turnkey solution from the likes of EMC.

A small company that run on flavor of the week DB and uses tarsnap for backup might have a much harder time figuring what is what.

Heck there are plenty of small companies that have an IT team of like 2-3 people that handle personal data for 100,000s of people and it might not even know where all of it's backups are.

"How sure you are that that seagate drive in the back of the closet doesn't have a copy of your database form 2 years ago?"

And most importantly small companies don't have the resources nor the knowledge on how to handle information requests under the GDPR.

I laughed about the idea of having launching handling the information requests as a service platform if I was crazy enough to come up with a way to actually make it work under the GDPR.

When I think of the GDPR what I see is potentially a lot of companies getting screwed over because they don't know any better as regulation of this extent usually only involved giants.

Say you are a company of 15-20 people you get a letter like this: https://www.linkedin.com/pulse/nightmare-letter-subject-acce... What are you going to do? Do you have a data protection and a privacy officer? probably not.. so now it's another hat that some one in your company needs to wear and I really pity the person who'll take this level of legal responsibility on themselves without having the right background, training support and more importantly time.

While this letter might not be pleasant such a letter would be a breeze to many large companies I work for a US financial institution (based in the UK).

This isn't any different than some letters we might get from a regulator or a customer/partner and there is essentially a production line overseen by both inhouse and external legal counsel.

There is a CIO and there privacy officers and compliance officers and champions in each department / team the entire process is essentially automated in an internal ticketing system which will go through a pre-defined workflow and invoke the right people and automated resources (e.g. data discovery), heck for like 90% of those questions we would have premade answers which were signed off by compliance and legal that are maintained upto date.

If you work for a small company and you don't have all these processes set up, you don't have legal counsel I really feel bad for you this isn't something that you can just wing it.

These large legacy companies were working on their GDPR compliance for years any company with a risk department with a pulse would've kicked of a steering committee / SWAT team in March of 2014 as soon as the initial draft was passed and kicked into full gear in 2016 when the final version was approved if not earlier.

I'm willing to bet you that there is a non-negligible number of small companies that didn't do anything as of april 2018 and many more that their GDPR preparation was having a few dev/devops folks sit through a webinar.

I'm really hoping that neither the former or the latter is the case for you but in case your statement "Sure, there is some hassle but we’ll be able to adjust with a few weeks of work." wasn't in tongue and cheek you have less than 50 days to prepare as the GDPR comes into effect on the 25th of May.

[zandor]

> If you work for a small company and you don't have all these processes set up, you don't have legal counsel I really feel bad for you this isn't something that you can just wing it.

But that is exactly the point. If a smaller company does not have the resources (both costs and competence) for something like this, then they should not be handling personal data at all. How would the same excuse sound if they don't have the resource to even secure personal data? Being too small is simply not a valid excuse.

[dannyw]

At a medium sized company, every single engineer received a hour’s worth of training on GDPR and teams were created to oversee implementation and compliance since 2016. GDPR definitely benefits big companies.

[rdtsc]

I imagine it is a non-linear graph. A really small company can probably assign someone to through the backups, unpack them, delete the user, re-backup everything mostly by hand. I assume a small company also means less data here. A medium size company that has more customers, and a more data collected might be at a bigger disadvantage. Not big enough to have a dedicated team on this task, and not big enough for a large legal department, but big enough to be swamped by requests and not process them in time and so on.

[dogma1138]

It's not that simple because there isn't a single type of small company.

Let's take 2 examples:

1) A small startup that has 20 employees have been around for say 2 years and likely have been serving a fairly small number of customers for a fairly limited amount of time say 6-12 months.

They are both technically capable and small enough to maybe adapt without breaking too many laws.

2) A small retailer/speciality trader with 8 employees that has been in business for 30 years, has digitized records from the 90's has been taking orders via the phone for that duration and had a computerized ordering system singe the mid 90's. They operate their own website on some ecommerce platform and do all the books, accounting and billing in house via some SMB accounting software e.g. Sage Books/Accounts/50 etc....

Over those 30 years they might have collected information from 10,000's or even 100,000's of individuals.

Number 2 is the real problem because these types of companies outnumber the tech bootstrapped startups what a 100 to 1? 10000 to 1? and there are plenty of small businesses that never really grow beyond their immediate market but still are successful enough to remain in business for decades.

On May 25th I can send a Subject Access Request letter to my fucking dry cleaner and they will be legally obliged to handle it within no later than one month, if that isn’t a kicker the I don’t know what is.