[fusl]

As far as everything on the internet tells me, GDPR was made for exactly this reason, to prevent this kind of data collecting without the users consent. But what is happening instead is that small companies, starrups, etc. are getting fucked over by the sheer amount of "rules" they have to follow and implement while large companies can get away with collecting everything and anything, leaking personal user data all over the place, etc.

Conclusion: GDPR was made to help monopolies grow even larger and prevent smaller companies/start-ups from ever growing more than just a little bit. Change my mind?

[setquk]

So it's ok for small companies to leak personal data?

Doctors' surgeries are small companies here in the UK.

The issue here is that literally every company across the world doesn't give a crap past the end of their nose and has abysmal data protection policies in place because it affects the bottom line. They introduced local legislation to help this and a few large fish got fined and that was it. Ultimately it wasn't worth doing anything about it because it wasn't an operational risk.

GDPR is about making it a major operational risk to do a shitty job. The rules should be the same for every company and the fines proportional, which they are.

The "sheer amount of rules" isn't a lot really and you owe it to your customers.

Conclusion: most of the anti-GDPR whiners are worried about spending on data protection and training because it hurts the bottom line. Change my mind?

[AnthonyMouse]

> So it's ok for small companies to leak personal data?

The GDPR doesn't just require companies not to leak personal data, it's a huge complex regulatory framework designed to handle the megacorps it was passed to target and imposes unnecessarily high compliance costs, and those costs disproportionately affect smaller entities.

In particular, it is possible to have perfectly sound data protection practices that would never lead to leaking personal data, while still not being in compliance because they're not the specific ones required.

These specific unnecessarily complex rules or total anarchy is a false dichotomy.

[icebraining]

Do you have any specific cases of how much the GDPR has cost to some small companies? My experience (I work in the EU) has been that the GDPR has not particularly difficult or expensive - and in particular it was easier than ISO9001, which we also implemented at a small company -, but I don't have any hard numbers.

[speedplane]

> Do you have any specific cases of how much the GDPR has cost to some small companies?

I work at a medium sized company and know they had to retain a few lawyers at $500/hr to explain what changes had to be made to be GDPR compliant. The changes themselves were not too hard, but hiring the lawyer and knowing what changes to make were.

[setquk]

Rubbish.

I have done GDPR prep for my one man limited company. Took about a day. I don’t even use that company!

https://www.simplybusiness.co.uk/knowledge/articles/2017/11/...

[speedplane]

> I have done GDPR prep for my one man limited company. Took about a day. I don’t even use that company!

How sure are you that you're really compliant? You did it yourself, do you know all the rules? Have you seen how they have been enforced and where the trends are going? Doing a half-baked review isn't good enough for most.

[setquk]

Firstly training. Went on a lot of that. Secondly there are plenty of self-test resources out there.

https://ico.org.uk/for-organisations/resources-and-support/d...

[linuxftw]

Major operational risk is not linear. Joe's Coffee shop doesn't have an army of lawyers to defend their collection and us practices that would possibly be lawful, while BigCorp has an army of lawyers to successfully defend their unlawful practices.

Even if the fines scale (I don't know what the punitive measures are) the cost to litigate won't.

[rcxdude]

The regulatory agencies don't start with litigation. If you are unintentionally out of line they will contact you to fix it first, and if you do so in good faith that will be the end of it.

[linuxftw]

How do they find your are in compliance or not, through what methods? Anonymous complaint? Random audit? What if you decide you are in compliance and what they deem unallowable is critical to your business?

I know what bigcorp's strategy is! Outsource data collection to a 'marketing analytics' firm that specializes in 'GDPR compliance'. Sounds like a new boutique consulting industry.

Similar situations exist for small businesses in the US already, we call them the "IRS" While you might argue that if you don't cheat on your taxes you have nothing to fear, the IRS might decide you took some deductions you shouldn't have, pay up or litigate. If you successfully defend? Oopsies, we might audit you again for the same thing next year (happened to a friend of mine)!

[Angostura]

> Conclusion: GDPR was made to help monopolies grow even larger and prevent smaller companies/start-ups from ever growing more than just a little bit. Change my mind?

The conclusion you should be coming to is that if Microsoft is doing this they will be hauled over the coals in a really quite painful way. Not this month or next, because the GDPR enforcers are snowed under at the moment.

As for the “rules” small businesses have to follow to be compliant, for the most part I strongly believe that they just codify the things people should be doing anyway: Thinking about how you collect users data, why you need it; how long you keep it for; how you secure it; who you pass it to - how they use it.

It’s not rocket science

[Cenk]

> Thinking about how you collect users data, why you need it; how long you keep it for; how you secure it; who you pass it to - how they use it.

Yes – Plus how you tell the people who’s data you are collecting about this.

[oconnore]

> Change my mind?

1) regulators are bringing first rounds of sanctions against Google, Facebook, and large Banks.

2) the sort of data GDPR protects is typically only valuable for larger companies -- you're definitely not running a small business selling to <10,000 customers if your business model is selling data for, say, $6.18/user (Facebook's return).

[Cenk]

It’s too early to tell wether large companies will be able to get away with this stuff under GDPR.

If your small company is "getting fucked over" because if privacy laws, you’re doing something shady in the first place.

[sjellis]

> what is happening instead is that small companies, starrups, etc. are getting fucked over by the sheer amount of "rules" they have to follow and implement

Nope. The GDPR is a European-style regulatory framework: it sets out principles and expects people to apply them in a reasonable and sensible way. The national regulating agencies are there to steer organisations into doing the right thing, rather than beating them up when they don't. I have literally telephoned the UK regulator and had a polite conversation when I needed a clarification of a particular point in their (most clearly written) online guidance.

The regulators do have strong powers so that large and well-funded companies can't just deploy lawyers to get away with things. Cambridge Analytica is one obvious case: they tried to play games with a GDPR regulator, and got a very hard smack-down.

[partiallypro]

That's how most regulations work out.

https://en.wikipedia.org/wiki/Regulatory_capture

[cm2187]

Agree. And that pretty much sums up the banking system.

[izzydata]

That is probably a standard side-effect, but I doubt the GDPR was proposed with the intent of helping the Google, Facebook and Microsofts of the world.

[Derek_MK]

Now that I think about it, yeah, I think Microsoft is probably gonna land in some big trouble with GDPR because of this. There's not really a way out of it because of how little control they give the user. I think it's just going to take time, because there's so many high-profile GDPR cases going on right now.

Plus, it's not like the big companies can afford to get hit by GDPR in a way that small companies can't. GDPR fines are based off of the company's revenue, which works well for preventing Microsofts from making more money from doing it anyway and paying the fine.

[simion314]

Do you have or plan to have a product?

What data are you collecting and do you share/sell it?

Do you collect more then you need? If yes why and is it hard to provide the option to the user not to collect non essential data ?

What part of GDPR is the one that is giving you a lot of work and you think is a disadvante for a small startup? If the answer is that I want to move fast and not think about securing the data, making it easy to delete etc then moving fast is not an excuse, you should secure the data from the start, follow the laws when the data is leaked etc

[api]

Regulation in general tends to be a regressive tax. Larger companies have the bureaucratic overhead to handle it and can also often lobby or litigate their way around it. If they do get tripped up they can pay the fines or hire lawyers. Smaller companies have neither the time nor the money to deal with regulatory complexity.

[Wowfunhappy]

GDPR really should only apply to companies beyond a certain size. Or at least, the requirements for small companies should be less stringent.

[blub]

Small companies can and do abuse personal data just as well.

I'll never forget how some period tracking app that my partner was using was updated with much more invasive privacy policy terms. It was take it or leave it, no way to use the app any more except by clicking the accept button.

It was a small European start up that did this.

So yes, GDPR applies to all sizes of companies.

[Justsignedup]

That would be exploited SO FAST!

Embed my 1-person company's widget. I will collect everything and send it to big boys.

Same way as you funnel money through a shell corp to avoid taxes.

[Wowfunhappy]

In the US, we have rules to stop this sort of thing for e.g. background check data. If you collect personally identifiable information from a third party, it's the same as if you collected it yourself.

[criddell]

Why should small companies be able to collect user data without consent?

[DanBC]

The requirements for small companies are less stringent.

[AnthonyMouse]

> The requirements for small companies are less stringent.

Conditioning various minor requirements on entity size is no help if they don't actually reduce the complexity. Otherwise the cost of determining what they have to comply with is as expensive as the cost of determining what they have to do to comply.

What smaller entities need is an entirely separate framework with fewer, simpler, narrower rules that don't have to be as robust against a huge team of lawyers finding loopholes because smaller entities don't have a huge team of lawyers finding loopholes.

Then you can have an entirely different set of robust arbitrarily complex rules that all only apply to companies with more than 1000 employees because they can afford to handle the complexity.