Definitely going to need some kind of citation on that one. Pretty much all regulation is to protect the less powerful from the more powerful and to stop people in advantageous positions exploiting others. The rich and powerful can't (in many countries, at least) openly wander around killing and stealing, for example, and the range of regulations down from there covers an enormous amount.
Regulatory Capture is I imagine what the Poster is talking about, it’s happening right now with Facebook’s suggestion that perhaps more regulation is a good idea...
It could go that way but it's usually the most powerful to have the connections with lawmakers and suggest what to write (or not to write) in some laws.
I quote a couple of sentences but there is much more there
> After the rule took effect in May, Google’s tracking software appeared on slightly more websites, Facebook’s on 7% fewer, while the smallest companies suffered a 32% drop, according to Ghostery, which develops privacy-enhancing web technology.
> The fact that Google’s compliance strategy has ended up hurting its competitors and redirecting higher demand back to its own marketplace, where it can guarantee it has user consent, has unsettled publishers and ad tech vendors
If you are an adtech company who's primary business was selling personal information of users, then yes, of course GDPR will have had a big impact. Google has put a lot of effort into being GDPR compliant, so I'd assume a lot of busineses switched away from smaller competitors for that reason.
I run a small SaaS business, which doesn't do anything ethically questional with user data, and becoming compliant involved:
- writing a document on GDPR compliance
- changing a few settings so IPs aren't logged or are at least anonymised
- verifying log files aren't kept longer than needed and don't contain personal information that isn't needed
I don't even need a popup asking for users to give permission to store personal information, because I'm not doing anything that needs that.
You don't need to get any certifications to be compliant, it's not like PCI where you need to be certified by a third party. This site has a simple checklist of what you need to do to be compliant:
Most of the actions you need to take are just respecting the user's privacy and being explicit about how their data is shared. If you use your laptop in a coffee shop you wouldn't expect the barista to stand behind you and watch what you are doing, then share that data with their colleagues and suppliers.
I'd say for a small company it's actually easier than a large company, as you have fewer processes that need to be changed. In my case it was a lot simpler to become compliant for this than VAT MOSS.
I haven't had any requests for data, so I don't have an automated way to export it yet, but if anyone requests it I can build it quickly.