[pmontra]

It could go that way but it's usually the most powerful to have the connections with lawmakers and suggest what to write (or not to write) in some laws.

About unintended consequences, check this article about GDPR after one year https://truthonthemarket.com/2019/05/24/gdpr-after-one-year-...

I quote a couple of sentences but there is much more there

> After the rule took effect in May, Google’s tracking software appeared on slightly more websites, Facebook’s on 7% fewer, while the smallest companies suffered a 32% drop, according to Ghostery, which develops privacy-enhancing web technology.

> The fact that Google’s compliance strategy has ended up hurting its competitors and redirecting higher demand back to its own marketplace, where it can guarantee it has user consent, has unsettled publishers and ad tech vendors

[fyfy18]

If you are an adtech company who's primary business was selling personal information of users, then yes, of course GDPR will have had a big impact. Google has put a lot of effort into being GDPR compliant, so I'd assume a lot of busineses switched away from smaller competitors for that reason.

I run a small SaaS business, which doesn't do anything ethically questional with user data, and becoming compliant involved:

- writing a document on GDPR compliance

- changing a few settings so IPs aren't logged or are at least anonymised

- verifying log files aren't kept longer than needed and don't contain personal information that isn't needed

I don't even need a popup asking for users to give permission to store personal information, because I'm not doing anything that needs that.

[czzarr]

did you not get any requests for DPAs, additional certifications, etc?

[fyfy18]

You don't need to get any certifications to be compliant, it's not like PCI where you need to be certified by a third party. This site has a simple checklist of what you need to do to be compliant:

https://gdprchecklist.io/

Most of the actions you need to take are just respecting the user's privacy and being explicit about how their data is shared. If you use your laptop in a coffee shop you wouldn't expect the barista to stand behind you and watch what you are doing, then share that data with their colleagues and suppliers.

I'd say for a small company it's actually easier than a large company, as you have fewer processes that need to be changed. In my case it was a lot simpler to become compliant for this than VAT MOSS.

I haven't had any requests for data, so I don't have an automated way to export it yet, but if anyone requests it I can build it quickly.