|
|
|
|
|
|
by pclmulqdq
442 days ago
|
|
|
Ah excellent. Encryption is not compulsory, but doing a bureaucratic risk assessment of whether you need encryption is. That is so much less work. In reality, GDPR is a jobs program for eurocrat auditing and consulting firms combined with an effort by Facebook and Google to prevent European competition. Note that GDPR fines are big enough that they can crush a small company, but small enough that Google wouldn't care. |
|
|
The notion that this is either a consulting gig fix or an effort to prevent European competition is naive and farcical in the extreme. The three highest fines for Meta (1.2b, 405m, 390m) total €2 Billion. More than every other GDPR fine combined.
https://www.enforcementtracker.com/
Note that GDPR fines for individuals and SMEs are in the 3 to 5 figure range, and come under very basic grounds following repeated warnings. The intention is not to 'crush' anything, least of all SMEs in a globalised marketplace.
This is quickly evident when you look through the fines, whereby the only entity that wasn't a major company with hundreds of millions in turnover to break a fine of €5 million was a Croatian Debt Collector with absolutely appalling violations of basic data control - including processing minors, processing people with no debt at all, and monitoring things down to progression of terminal illnesses.
https://azop.hr/debt-collection-agency-eos-matrix-d-o-o-impo...
The most common by far is Art. 5 and 6 - Insufficient legal basis for data processing, followed by Art. 28 (3) and Art. 32 - Insufficient technical and organisational measures to ensure information security.
These are basic compliance requirements, mirroring something like PCI but for personal as opposed to cardholder information. Framing this as some lobbyist wet dream of Goliath vs David is just so much FUD.