[shados]

> If you own a business, the cost of reading this document is about 2 days

I've been watching experienced lawyers, general counsels, etc from various companies, vendors, etc literally yell at each other about some of the finer points of the laws. It's quite fuzzy on a lot of things, and get REALLY complicated in some cases, especially when dealing with 3rd party vendors, or when you are yourself the third party vendor. Certain patterns, technologies and software are very hard to retrofit properly. Some concepts like the business justification stuff gets really fuzzy when handling things like free accounts.

If you make any amount of reasonable money, you need a lawyer to work with your devs (hope you didn't outsource the work!) on a lot of this. And your usual lawyer, if in the US, might not be qualified to deal with EU laws. It's a tough situation. For businesses that don't even target EU markets on purpose, well...

If you're a medium to large international business, then this is just business as usual: dealing with new laws popping up, small or large, is just something you do. It sucks, but hey: it increases the barrier for entry of your next competitor!!

Disclaimer: I think GDPR is fine, and in a few years when every new startup or mom and pop company and 3rd parties are all setup for it, it will be a no brainer, just like email (not many people running their own email servers these days!). But the transition is hard, especially on smaller players.

[Boulth]

> For businesses that don't even target EU markets on purpose, well...

See https://ec.europa.eu/info/law/law-topic/data-protection/refo...

> When the regulation does not apply

> ...

> Provided your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.

[JumpCrisscross]

This boils down to relying on each of the EU's twenty-eight data regulators interpreting "specifically target" favorably into perpetuity. One of them takes an unusual view, once, at any time in the future, and you lose 4% of your global revenues.

[bardworx]

> I've been watching experienced lawyers, general counsels, etc from various companies, vendors, etc literally yell at each other about some of the finer points of the laws. It's quite fuzzy on a lot of things, and get REALLY complicated in some cases, especially when dealing with 3rd party vendors, or when you are yourself the third party vendor. Certain patterns, technologies and software are very hard to retrofit properly. Some concepts like the business justification stuff gets really fuzzy when handling things like free accounts.

I totally agree with you. But like you said, "It sucks, but hey...". That's totally the approach.

Yeah, it sucks, and what's new? There is always something that sucks. Within the next two months, there is: TLS1.2, new PCI guidelines, and GDPR that go live.

GDPR has more nuance then most other situations but just like PCI, you just deal with it.

What I imagine is this situation is like a bunch of stores stop taking credit cards because the new PCI guidelines require TLS1.2, anonymized customer data, and all customer data stored at rest to be encrypted or hashed.

Would folks have same reaction if their neighborhood deli said "fuck it!" I ain't protecting the CC data cause its tough and requires too much work?

[closeparen]

The cost of PCI compliance is baked into the transaction fee, and yes, businesses are sometimes cash only; particularly if the business is small and its products are affordable, customers understand and appreciate the owner's unwillingness to pay those fees.

[manigandham]

PCI is well defined. It's a lot of process, but nobody is confused on what the process is.

[ncallaway]

How true was that on week 1 that PCI went live?

[shados]

There was still a pretty easy line between "I take credit cards" and "I don't take credit cards". The rules for PCI drastically vary between company size too, in that compliance for small companies is pretty easy, and your responsibilities increase as you go. To this day, there are companies that don't take credit cards too (though usually its not to avoid PCI, heh).

But yes, once there's an industry of GDPR auditors, precedents in lawsuits, and the threshold for "Do not market explicitly to europeans" is obvious and well understood, this will be much easier.

And still, until the end of time, there will be companies that aren't GDPR compliant and don't work with EU customers. Maybe with the goal of doing so once they have more time and resources.

[manigandham]

100%.

It's basically a checklist, and you're either compliant or you're not. It includes various levels with actual numbers and explicit requirements, there's very little interpretation needed.

If anything, it should've served as the model for GDPR.