If your business model is based on something that will violate the GDPR, like streetlend selling user data to advertisers, then should you really be opening that business in the first place?
The parent comment point has been missed or understood but not used. The point is that small companies which are valid must jump through significant hurdles to satisfy gdpr. Contracting an expensive DPO (are they going to be doing you a service in pricing or making out well) to set this up may be more than some small businesses can handle.
In the UK the ICO is the governing body, and they say I don't need one. From their guidance linked below
>The GDPR introduces a duty for you to appoint a data protection officer (DPO) if you are a public authority, or if you carry out certain types of processing activities.
I am neither a public authority or carry out those certain types of activity.
If your business model is based on something that will violate the GDPR,
That is COMPLETELY IRRELEVANT to what people are saying. If someone complains about me, am I obliged to defend myself? If I don't, am I subject to ruinous penalties? If I do and am victorious is the complainer required to compensate me for all of my costs?
I'm afraid I disagree entirely. If your business is aggregating data in order to sell more effective advertising then you are walking a line and need a lawyer. If your business is selling widgets and you collect personal details in order to complete orders then you are just going to have to write some documentation.
I can tell you as someone who is working in an old school retailer/wholesaler we are not, and neither is anyone we are talking to through various trade bodies, employing lawyers to do GDPR.
Actually, you can keep order data as it has to do with VAT law but you have to keep it in line with GDPR... So it not just writing some documentation, rather making sure your data is secured with up to date and taking into account state of the art technologies etc...
Lawyers can't help you with ambiguous laws very much as it takes precedents to make sure what the words mean.
Other way around. This business was opened half a decade ago, with users being perfectly fine with it (or it wouldn't have stuck around). The GDPR on the other hand has flown under the radar and only suddenly became a thing that service providers (generic "service", not "internet service providers") were made aware of in legal context. So if we're raising eyebrows, it's at the EU and the GDPR. Not at sites that have operated to user's satisfaction for five+ years.
That's what they said about the EU VAT changes as well. "How are small businesses surprised by this new rule that comes into effect in under a month? We've been discussing it in committees they've never heard of somewhere in another country for years!"
The reality is that almost all businesses are small businesses, and most businesses are microbusinesses. These sorts of organisations don't have full time resources watching out for potential legal hurdles coming down the line in a few years. Many of them don't have full time resources at all.
It's ironic that a law where one of the main effects is to dramatically increase notification requirements has resulted in barely any media coverage and no notification from any official sources to any of my businesses yet. What media coverage there has been mostly seems to have been prompted by people being surprised by the sudden wave of privacy-related emails. So, how is this not going to be a surprise move for millions of small businesses if no-one did anything to tell them about it?
Please, I work for a "small" business and the management have been going on about it for months.
If you run a business and were not aware of GDPR then you incompetent or employ people who are feeding you bad information.
Seems like these businesses who are not "aware" of it are exactly the type that would have other bad practices that will leak personal data of their customers.
If you run a business and were not aware of GDPR then you incompetent or employ people who are feeding you bad information.
Why? Most businesses are very small and don't have any sort of in-house legal team, and won't go actively looking for expensive external legal advice if they aren't aware that they have a need to.
Seems like these businesses who are not "aware" of it are exactly the type that would have other bad practices that will leak personal data of their customers.
That is an entirely unfounded assumption. There is literally no relationship between being technically competent in protecting personal data, having a positive attitude towards respecting privacy, and being aware of new laws coming out of the EU.
Yes, and talks first started in 1996, and yet here we are today with massive problems because small business, and especially self-employed startups etc don't have an on-call lawyer that knows everything about EU regulation. Or anyone. They wont' have heard of this from anyone until it hit the news, only a few months ago. Is a few months enough to understand and become fully GDPR compliant? Probably not. Do you know all the EU laws currently in the works that are going to affect your website 5 years from now? Probably also not.
What about small companies that don’t sell data as a business model?
GDPR punishes the vast majority of businesses that do not have business models reliant on selling user data in favor of trying to catch the ones that do.
Unfortunately, I fear this regulation will do absolutely nothing to stop the bad actors from selling data as they do now.