I'm not arguing for or against it, just pointing that the resulting unintended consequence is protecting large companies. Exactly the opposite of the original intent.
Nonsense. I look at another high tech data driven start-up every week and not a single one has stated that the GDPR costs are 'prohibitively high'. Sure, there are some that need to do more work than others (medical, ad tech). But on the whole companies that were already doing their best to not fuck up with their customers data have very little to do in order to get to where they should be and the remainder has a bit more work but will mostly likely be more-or-less compliant by the 25th and what work remains will be done long before the eye of Sauron will turn their way by virtue of their size.
The cost is strongly related to the size of the organization and the amount of sensitive data you hold as well as whether or not you were a bad steward of the data in the past.
There is a correlation between the number of GB you store and eg. how many DPOs you require?
A small business or a startup should have a relatively limited amount of data capture, and that data should be stored in a relatively limited number of places. In most cases, it should be straightforward to make sure that this is documented and appropriate controls are in place.
On the other hand, large companies have vast quantities of uncontrolled data gathering that nobody is responsible for.
If I want to put an open source app in the App Store, that’s not a business model for me. It’s more just personal expression.
Try convincing a regulator of that.
But it doesn't matter, you're still logging PII. GDPR doesn't make any distinction of profit vs. non-profit vs. personal ownership. You're as liable as an individual as an organization.
