[vmarsy]

> You claim that GDPR has a big administrative burden to small businesses but that's not the case as long as your business model is not based on invasion of privacy. If it is, well, tough life!

There's something I don't get in your argument: How having a business model not based on invasion of privacy is protecting your business from receiving GDPR Subject Access requests requests, the legal fees a small business needed to spend to take care of those, and the handling of those?

In your food example it'd be more like as if a law required you to have an employee meeting with a health inspector daily. And that employee must not be a cook/staff. This seems easier for a big chain to comply than a small business.

Here, to monitor all their email, each social media pages, etc and spend time figuring out if each tweet/post is a subject access request is going to be much easier to scale for a big company compared to a small business.

Also one thing a bit off topic that's not clear to me is if suddenly a business needs to start handling and archiving sensitive information because of GDPR letters (for each request, there must be a proof of identity such as ID, passport scan, etc). You now risk having potentially non compliant businesses handle those. That seems like exposing yourself more to identity theft for each GDPR request you make.

(See "how do we recognize a request" in https://ico.org.uk/for-organisations/guide-to-the-general-da... )