[raziel414]

I'm not surprised. I used to work on a team at Google that had to deal with GDPR (I still work at Google, but on a different team), and we had to get legal review for a lot use-cases. For example, we had a backup system that took snapshots of our user-provided data. If a user requested their data be purged, should we purge all the backups as well?

Since we had legal counsel in house, it wasn't too terrible. For a smaller company that doesn't have those resources though, GDPR compliance must have been a huge burden.

[Angostura]

You know what? It's only a huge burden for organisations that process a lot of personal data in a variety of interesting ways.

[Matticus_Rex]

As someone leading the privacy program at an organization that doesn't have that much personal data (relative to most businesses in our industry at least, and probably overall) and doesn't process it in particularly "interesting ways," I strongly disagree. The GDPR was and is a huge burden. You can believe that it's worth it without engaging in the fantasy that it's not burdensome, but don't deny the reality of the burden.

[Angostura]

As someone who was involved in the GDPR work for an organisation that holds some fairly critical information about people and needs to share it with other organisations both as Data Controller and Data Processor, it really wasn’t too bad, mainly because we had already thought quite carefully about privacy and data security.

As a committee member on a local swimming club, it took about 2 hours.

[Matticus_Rex]

There's a huge variance depending on the complexity of the business and how many different things you do. Most of the variance has little to do with the shadiness/lack thereof of what you were doing with the data or even how well it had been thought through. Most of the variance is in how many different types of things you're doing and how many different data inputs you have.

I've talked to colleagues who do a wide variety of processing for their controllers in a business with just a few employees, which is paralyzing. The company I work in is somewhere in the middle. I've also talked to colleagues at companies who only have a few inputs, and regardless of the volume of input that seems to be pretty easy.

[pmiller2]

I disagree. The sheer magnitude of fines that can be imposed makes the potential damage huge, even if the probability of being hit by them is small. This makes the risk of noncompliance high.

[pmiller2]

More generally, I am wondering: how do smaller companies go about even attempting to comply with the GDPR? The “head in the sand” approach of simply not serving requests to people physically in the EU doesn’t work for a number of reasons, and I don’t see how you can even sell anything on the internet without being within its reach. (Of course, now that I think about it, how is the EU going to fine a small business in the US that has no overseas operations?)

Are there any resources for small businesses in the US that want to protect themselves from onerous fines the data regulators can impose? How can they even begin to assess the risks of noncompliance?