Hysteria around GDPR

Original author: Jacques Mattheij
  • Transfer
The article was published on May 18, 2018.

In a week, the GDPR or the General Data Protection Regulation will become binding. It seems that, unlike any other modern law, the GDPR showed an interesting side effect - it caused massive hysteria in the usually rational technological sector.

This article is an attempt to calm the nerves of those who feel that (their) world is on the verge of collapse. In general, when it comes to any laws, including this, the main principle is Don't Panic . The article is intended specifically for owners of small and medium-sized companies that are active on the Internet and are now in a little shock.

About me: I’ve been engaged in technical expertise for M&A transactions for about ten years (with a team of eight people). This experience, as well as the belief that privacy is worth fighting for on the Internet, led me to a detailed study of privacy policies on the Web. As a result, I now perfectly understand the impact of GDPR and see how companies respond to new rules.

To begin with: every company, every project or hobby must comply with the law. The possibility of this usually depends on what you are doing, on your local legislation and, obviously, on the laws themselves. It doesn’t matter if you work for profit or pleasure, you earn pennies or billions of dollars with tens of thousands of employees. Compliance with the law is the norm. If you do business abroad, you may have to comply with the laws of another country. And given the transnational nature of the web, there is a pretty high probability that your small domain will be affected by the laws of several jurisdictions. For people from relatively small countries (from the point of view of the authorities of the rest of the world) this is not news. They are already influenced by the laws of powerful states and therefore they are probably well adapted. But for residents of large countries,

The easiest way to come to this understanding is to recognize the fact that you are still required to comply with a large number of laws in order to be able to work in the European market. Even a lemonade stall must comply with the following legislation:

  • food safety laws
  • laws of business
  • municipal law
  • administrative law
  • labor law
  • possibly other regulations

So before, nothing was easy. Now another law has been added to the heap - and this is not the end of the world. The article is not intended for large companies, and I'm not a lawyer (yes, this is one of those boring disclaimers), the text is not written in legal language. However, there will be some legal terms from the GDPR that I cannot get around. Definitions of these terms will be given immediately at the first mention, and for your additional information, use your favorite (mandatory GDPR-compatible) search engine.

The first thing to understand in terms of GDPR is the wording “one law for all”. The GDPR is written to replace its predecessor, DPD (European Data Protection Directive, European Data Privacy Directive). She had an annoying flaw - it was a toothless directive, not a strict regulation. Therefore, almost everyone ignored it. An old story: first, self-regulation occurs, if it does not work, a directive appears, and if there is still no effect, then finally a law comes out with a punishment for non-compliance. As the inscription on the sign with the card says: "You are here!". Now, exactly seven days later, a law will come into force that will already be harsh and which, for a change, you cannot ignore.

Why did the panic rise? I have seen many different explanations, but most of them revolve around a rather limited number of misconceptions. I will try to examine them one after another from the point of view of the owner of a small business, in order to reduce the emotional background to some acceptable level. First you need to debunk the misconceptions - this will allow us to focus in more detail on what really matters.

  • I will be fined up to 20 million euros for the slightest violation of GDPR

Well, the GDPR does have the potential to escalate to that level, but in the spirit of good-natured European law enforcement from various agencies at firstto warn that you do not comply with the law, give a certain period of time to eliminate the shortcomings, and if you ignore them - to fine. This penalty will be proportional to the crime. Of course, you can ignore the penalty, and then the consequences are unpredictable, but if you paid it and eliminated the shortcomings, you can consider the issue closed. A typical EU practice in case of repeated violations on the same issue is an increase in the fine. It can increase rapidly, so most companies tend to quickly fix the problem as soon as they are fined for the first time. I’m sure that everything will happen just like that, because that's how it worked so far. Each interaction with data protection agencies takes place in the same way: warning, fine, increase in fine. Not a single case is known - I would like to be surprised

Note that 20 million euros or 4% of the global turnover is the maximum penalty. Specifically, it is defined as "a fine of up to € 20 million or 4% of the annual world turnover for the previous financial year for the enterprise, whichever is greater." The maximum penalty was introduced to guarantee that giants like Facebook and Google do not ignore the law, simply paying a fine and continuing the previous practice. In no case should you think that you, the owner of a small business, will be fined 20 million for each violation found.

  • GDPR will allow anyone to sue me, even from abroad

This is not possible with GDPR, but you might be interested to know that now anyone can sue you or your business for any reason. This is a direct consequence of commercial activity and has no relation to a specific law. GDPR allows individuals to contact their regulators and complain ifyou decide to ignore their requests. Therefore, if John Doe asked that his data be deleted from your server, and you sent it to hell, John has the right to warn his regulator about the likelihood of your non-compliance with GDPR. If the data protection organization in John’s country considers this to be meaningful, it will send you the letter mentioned above. If not, you will never hear about them. Data protection agencies will function as intermediary focal points. If you think this is selective enforcement, you should be happy with the new law: with the introduction of the intermediary function, the regulatory burden is significantly reduced. This norm ensures that citizens cannot use the GDPR to prosecute enterprises. A certain barrier is being introduced before a decision is made.

  • Draconian fines without warning

No, fines will be proportional and levied only after the companies have given the opportunity to mend. So it was in all EU laws regarding confidentiality, and this one will not differ. EU regulators consider it their mission to enforce the law, rather than create a source of revenue.

  • GDPR will require consideration of complaints / documents in 28 different languages

The GDPR text is available in English, a typical regulator will send you a notice in a language that you can understand. This is the case with all legal issues in the EU, from road fines to the Copyright Law and everything else. If the EU copes well with at least something, it means working in different languages. Thus, if you receive any documents, they will be in a language that you can read, and if you can’t, then an English translation will be available to you. Here's an example, by the way: last year in Paris I was given a parking ticket: I left the car on the wrong side of the road on a certain day. I parked on the right side on Monday, but apparently on Tuesday I had to park my car on the other side, and as a stupid tourist I thought that everything was fine, because everyone else was parking there.

  • GDPR will require hiring staff, and my organization is too small to afford it

No, the GDPR requires the appointment of certain positions to ensure that someone is responsible for data confidentiality.

  • Faceless bureaucrats will use selective enforcement of GDPR to fill EU treasury at the expense of foreign companies

The EU tends to use fines as a means of forcing a company to comply with the law. If a company is large, with large European offices or uses the EU for tax evasion, then it rightly worries about this particular aspect, especially if it built its business on massive databases with profiles of EU citizens. If this is not you, then you can most likely ignore this aspect of EU law. But if you are Mark Zuckerberg, then I would definitely not recommend ignoring him. However, Mark’s chances to read this article on my blog are null.

  • The EU is too far. As a foreigner, I simply abide by my local laws and ignore the rest

As soon as you start doing business abroad, you will have to comply with the laws of these countries. You may have hoped for something else, but it always has been. For physical products, there are various bodies that enforce laws in other countries, including the rules for the production, transportation, storage, composition of ingredients (up to their origin) and so on, depending on the context and nature of your business. For an online business, the situation has never been different. For example, you must comply with the Copyright Law, Internet gambling laws, DMCA, and many other laws that are essentially local in nature (although copyright laws have long been harmonized in different countries, which simplifies the situation) .

  • Processing all these requests from end users will be a huge load

Then automate them. If you were able to automate data collection before, then you can definitely automate the rest of the life cycle. When it comes to getting juicy pieces of data, companies do not experience any insurmountable technical problems, and as soon as it comes to deleting them, we suddenly return to the Stone Age and begin to manually delete data, like a craftsman with a chisel and a hammer, and even for a small site work supposedly takes decades. These are crafty arguments, and if a person says this, then on the whole it looks pretty silly, because no one has ever complained about data collection. In fact, there are entire armies of programmers working hard to clear data from public websites, and this is a lot more work than a properly adjusted life cycle of this data after collection. So yes, this is a burden. But no,

  • The law suddenly fell on us, there is absolutely no way to prepare for it in a week

The law is currently in force for more than two years, and DPD, the European Data Protection Directive, has been in force for more than two decades . So no, this law did not fall on anyone, although it is quite possible that you only found out about it a few weeks or months (or days?) Ago. If so, do not panic anyway. Most likely , you will be fine.

  • Impossible to comply with this law.

Well, my site is fully compliant with the law, so at least the law seems to work here. Why? Because I do not store any information about you. This is a conscious choice on my part, which I made long before the GDPR began to be discussed at all. But if you have a more difficult situation, you can also become compatible, or at least - and most importantly - you can try. For example, it is often argued that no web server (or even an Internet service) can be compatible, because all web servers register IP addresses, and IP addresses are PII. But this argument does not hold water. There are several reasons, here are the main ones: web servers only register IP addresses, if you configured them like that. Almost all web servers have a formatting option that determines what is registered - and you can configure your web server to register not the entire address, but only the network mask. You also have the opportunity to log and disclose in the privacy policy that you are doing this. But then you have to allow the removal of this data on request, which can be burdensome (or not, it depends on the volume of such requests). Finally, You may have a legitimate reason to register IP addresses, provided that you delete them after use. GDPR allows you to store the address for 30 days with a possible extension for another 60 days, after which the user will be sent an automatic response that his IP address has been deleted - this is enough to comply with the law. This is one of the reasons why I think GDPR is a surprisingly good law. In most cases, technology laws are ultimately inoperative, and here most scenarios seem to work well for all involved. that GDPR is an amazingly good law. In most cases, technology laws are ultimately inoperative, and here most scenarios seem to work well for all involved. that GDPR is an amazingly good law. In most cases, technology laws are ultimately inoperative, and here most scenarios seem to work well for all involved.

  • Compliance with this law will make my business unprofitable

I'm really sorry to hear that. But think about this: the law is written with the explicit goal of curbing some of the most serious privacy violations of EU citizens on the Internet. If compliance with the law leads to the fact that your business becomes unprofitable, then it is as if to admit that your business is built on gross violations of confidentiality. If this is a real business model, then tablecloth is dear to you and your company. But if the business model is different, then most likely you will be fine.

  • This is unfair: I do not have representation in the EU, because I am not from there, why should my company comply?

Because you want to do business in the EU. To do this, many laws have been created with cross-border action, but the harmonization of legislation between countries shows that people do not always understand the cross-border nature of laws. DMCA is a good example. In addition, confidentiality is a rather hot topic, and there is hope among human rights defenders that the EU is paving the way here and other countries will follow suit.

The fact that you or your company does not have a representative in the EU does not mean that you can ignore the law. If you could ignore it, it would automatically put those who play by the rules at a disadvantage. You ignore the law at your own risk.

  • I don’t want to be arrested for violations of the GDPR when I go on vacation to Europe (yes, I really saw that)

It is so far-fetched that it’s just funny. The EU does not act in this way, and in general, why do you knowingly break the law and continue to do so after you find out about it? I have not heard of a single person who, at breakfast in a bed of a French hotel during a well-deserved vacation, was picked up and taken away in handcuffs. You may be the first. If this happens, let me know - I will visit you in prison, or maybe even transfer a few dollars to the defense fund. (Sorry for the frivolous tone in this section, but I am really annoyed by such fears. The only such case that I know of was the American arrest of David Carraters from betonsports.com). [Probably, the author does not know about the numerous detentions of Russian hackers during their holidays abroad - approx. per.]

  • My business cannot comply with this draconian and burdensome law.

In this case, please close the site or do not serve customers from the EU. But keep in mind that 1) you leave a good field for the competitor and 2) you are probably doing something that should not be, so I would say that the law works as intended.

  • The law is so complex that it is impossible to understand

With the release of this law, I was really surprised how easy it is to read. It is not particularly large and uses mostly simple language, and usually (but not always, and this is a well-grounded complaint) defines the terms. This is particularly annoying (which is understandable) in determining what size a company should take certain measures. I understand the complaints and understand the position of the legislators - probably this could be spelled out more clearly. But there were good reasons to leave just such formulations, the reasons for which I hope to tell later.

  • I can’t afford the risks associated with this law, so I’ll close the site or block Europeans

Okay. Bye. But make sure you really understand the risks. And please understand that it can be difficult to reliably block Europeans and get out of this law. You need to understand that many other European laws may apply to you. In this regard, the new law is no different from others. You pay for using the Internet as a global global platform by interacting with the jurisdiction of each country where you do business.

  • Users should be given the opportunity to refuse to comply with the law so that I can ignore it.

This time, lawmakers understood the potential problem - and actually warned it. I suspect that the fiasco of the “cookie law” made them realize that companies were not at all embarrassed by such things - and they were happy to blackmail users, forcing them to agree with what they would prefer to disagree for the sake of online interaction.

  • For large companies, the load is manageable, for small - too heavy

From what I have seen in my practice over the past couple of years, the burden is roughly proportional to three things:

  1. The amount of data at your disposal.
  2. The number of employees in your company.
  3. The type of data you are managing.

In fact, the burden of a large company that owns huge amounts of confidential data is likely to be very large. The burden on a small company that owns small amounts of data that is not confidential will be very low or even zero.

  • No one knows what GDPR really means

Text is easily accessible. Although in fact there are no full-fledged certification programs yet, but over time they will also appear. In a sense, such programs are not enough: it would be nice to be able to say: "We comply with the law, because we have a badge from such and such a certification body." But at the same time, the lack of certification requirements is actually made with a long view - in order to reduce the burden on small companies.

In any case, now you understand the point. Each of these misconceptions is like dry chips in the hands of those who want to burn GDPR on a good old fire - it incites panic among others and generally does not contribute to the discussion. As a rule, statements are made by people who are really off topic or whose business depends on the ability to violate the privacy of other people. They hope that kindling this fire can raise a wave against the GDPR, they want to play politics. As everyone knows, in our time politics operates in an area where facts are absent, so everything is according to plan. With this in mind, let's look at some real consequences of GDPR, at what level you are most likely to encounter the requirements of the law, and how, in my opinion, the situation will develop.

“Hysteria around GDPR, Part 2. Useful Tips”

Also popular now: