Its funny how we let this all slide when it comes to tech. Imagine if someone said "Food safety regulations only hurt the small businesses, they don't have the resources to wash a cutting board after cutting chicken while McDonalds serves unhealthy but legally safe food"
But that's exactly what happens in the world though. In some poorer countries like China, street vendors are literally using gutter oil to make food.
If you want rules to be respected then you must be able to enforce them. Poorer places just can't afford to enforce those rules. If rules aren't enforced equally then people won't follow them, because if they have additional costs that their competition doesn't then they'll likely be outcompeted.
But I don’t think McDev above was talking about a software startup in the poorest part of the world. I have implemented GDPR in a small non profit open source SaaS business. A funded startup should have no issue doing the same.
> Imagine if someone said "Food safety regulations only hurt the small businesses, they don't have the resources to wash a cutting board after cutting chicken while McDonalds serves unhealthy but legally safe food"
But that's exactly what we do. The health inspector doesn't come to your home to verify that you wash your cutting board, even on the day you have a dinner party to entertain business clients. Depending on local law you may or may not be expected to follow the same rules as McDonalds (getting a food service license etc.) when you hold a high school bake sale, but people commonly don't actually do it and governments commonly don't actually enforce it in those circumstances.
Because it's more important, and justifies a higher compliance burden, to ensure that the company serving billions of hamburgers isn't giving people food poisoning than the individual serving four.
I believe your being down voted because it is common knowledge that food service legislation only applies to those selling food, and therefore intentionally doesn’t apply to dinner parties.
If your European friend tells you their phone number and you write it down on your refrigerator (or your public blog for that matter), the French government isn’t going to come fine you for violating GDPR.
Is that what it says, or are you just saying they're not likely to enforce it in that way, and now we have a rarely enforced law that everybody violates and therefore the government can use it as a pretext to undemocratically destroy anybody that government officials don't like?
My experience with startups lately is if it’s a greenfield project that started within the past 3 years then they’ll do everything by the book: sometimes even down to storing email addresses as hashes in the database, requiring a user to login first for the software system - and the company - to know their email address).
Older systems which depend on having PII and even financial information as cleartext in the database are the problem - and its essentially technical debt with far-reaching consequences, so no-one will fix a system that uses tenants’ customers’ SSNs as a primary-key (yup).
I am aware of a legacy system powering a local business which runs on Rails 1 on a version of debian from 2012 and stores users passwords in plaintext, downcased.
I have tried to explain so many times that this system needs to be replaced urgently not for security reasons but because no one actually knows how to use rails 1 anymore.
I have a Rails 1 product making $10K a year but I don’t have even the ability to log into the box anymore so if even the tiniest thing falls over that revenue is permanently gone for me.