[setquk]

So it's ok for small companies to leak personal data?

Doctors' surgeries are small companies here in the UK.

The issue here is that literally every company across the world doesn't give a crap past the end of their nose and has abysmal data protection policies in place because it affects the bottom line. They introduced local legislation to help this and a few large fish got fined and that was it. Ultimately it wasn't worth doing anything about it because it wasn't an operational risk.

GDPR is about making it a major operational risk to do a shitty job. The rules should be the same for every company and the fines proportional, which they are.

The "sheer amount of rules" isn't a lot really and you owe it to your customers.

Conclusion: most of the anti-GDPR whiners are worried about spending on data protection and training because it hurts the bottom line. Change my mind?

[AnthonyMouse]

> So it's ok for small companies to leak personal data?

The GDPR doesn't just require companies not to leak personal data, it's a huge complex regulatory framework designed to handle the megacorps it was passed to target and imposes unnecessarily high compliance costs, and those costs disproportionately affect smaller entities.

In particular, it is possible to have perfectly sound data protection practices that would never lead to leaking personal data, while still not being in compliance because they're not the specific ones required.

These specific unnecessarily complex rules or total anarchy is a false dichotomy.

[icebraining]

Do you have any specific cases of how much the GDPR has cost to some small companies? My experience (I work in the EU) has been that the GDPR has not particularly difficult or expensive - and in particular it was easier than ISO9001, which we also implemented at a small company -, but I don't have any hard numbers.

[speedplane]

> Do you have any specific cases of how much the GDPR has cost to some small companies?

I work at a medium sized company and know they had to retain a few lawyers at $500/hr to explain what changes had to be made to be GDPR compliant. The changes themselves were not too hard, but hiring the lawyer and knowing what changes to make were.

[setquk]

Rubbish.

I have done GDPR prep for my one man limited company. Took about a day. I don’t even use that company!

https://www.simplybusiness.co.uk/knowledge/articles/2017/11/...

[speedplane]

> I have done GDPR prep for my one man limited company. Took about a day. I don’t even use that company!

How sure are you that you're really compliant? You did it yourself, do you know all the rules? Have you seen how they have been enforced and where the trends are going? Doing a half-baked review isn't good enough for most.

[setquk]

Firstly training. Went on a lot of that. Secondly there are plenty of self-test resources out there.

https://ico.org.uk/for-organisations/resources-and-support/d...

[linuxftw]

Major operational risk is not linear. Joe's Coffee shop doesn't have an army of lawyers to defend their collection and us practices that would possibly be lawful, while BigCorp has an army of lawyers to successfully defend their unlawful practices.

Even if the fines scale (I don't know what the punitive measures are) the cost to litigate won't.

[rcxdude]

The regulatory agencies don't start with litigation. If you are unintentionally out of line they will contact you to fix it first, and if you do so in good faith that will be the end of it.

[linuxftw]

How do they find your are in compliance or not, through what methods? Anonymous complaint? Random audit? What if you decide you are in compliance and what they deem unallowable is critical to your business?

I know what bigcorp's strategy is! Outsource data collection to a 'marketing analytics' firm that specializes in 'GDPR compliance'. Sounds like a new boutique consulting industry.

Similar situations exist for small businesses in the US already, we call them the "IRS" While you might argue that if you don't cheat on your taxes you have nothing to fear, the IRS might decide you took some deductions you shouldn't have, pay up or litigate. If you successfully defend? Oopsies, we might audit you again for the same thing next year (happened to a friend of mine)!