story
I expect that, at least in some obviously global markets like most e-commerce, GDPR compliance (as opposed to throwing the towel like you) will be treated like a certification of being a relatively non-evil and non-amateur business, with a significant impact outside the EU.
My customers are all happy with my privacy policy, and not a single one outside of the EU has expressed any interest at all in the GDPR. We are actually compliant with a majority of the regulation, however there are some areas where we would have to re-architect to gain full compliance.
This is not in anyway a signal that we’re “not good enough” to handle our customers data. It is mostly a sign of a poorly written piece of regulation, that has more undefined edge cases than it has defined use cases.
We’re not going to be the only company that comes to this conclusion, so you can go around slandering anybody you like, but that’s not going to change the facts behind what is a rather simple business decision for a lot of people.
You’re incredibly naive if you think complying with regulations like this is going to be cheap and easy, and your even more naive if you think that compliance is going to mean anything other than a rubber stamp. I’ve seen PCI, Fedramp, ISO27k, SOC2... organisation that have been certified as compliant, but were in reality less than 10% compliant. The compliance industry is a joke worldwide, and everybody knows it.
As far as the public understands that complying with a new law is expensive, and why GDPR compliance in particular is expensive, it is obviously more expensive for "bad" companies: don't expect the same compassion and tolerance with which other types of customer disappointments (e.g. raising prices) are received. Your competitors who do not retreat from the EU are obviously caring more for customer privacy, and/or better organized, and/or less reliant on excessive data collection. They are not going to be considered stupid because they spend more than they should on doing the right thing.
You admit bad organization ("there are some areas where we would have to re-architect to gain full compliance"): not trying to comply with the GDPR is clearly not a "rather simple business decision", it's a decision to accept failure instead of losing even more money, and you aren't going to look good even if it's the rational choice in your situation.
Because our social media platform is open to all, we are addressing adhering to the GDPR. In spirit, we already do, but they want what amounts to 5 documents how we use metrics and user data.
(Edit: we use metrics only in a '20 new people signed up'. We treat all data as federal confidential data. We also abide by deletion requests - immediately all user data is zeroed out, and a script overnight removes the zeroed fields. If it should not have been entered, we also will nuke users on backups too.)
If you're doing things respectfully and the right way, the GDPR is a nuisance. If you were hoovering anything and everything, you're in for a bad time.
And given your comments above, I'd put you in the company of "Hoover, Dyson, and Electrolux".
Edit: > "My customers are all happy with my privacy policy,"
Do they have a choice, aside to never use your stuff? If do you force acceptance of the 'privacy policy' on usage of your service? If you, that is in direct violation of the GDPR.
Hope you never want to consider European citizens as a customer. Building in this respect is cheap, but is expensive if you ignore now.
Think of this as "California Emissions". Eventually the US will adopt, even if in defacto. Might as well be on the right side of the fence.
Our application is a financial one, so I’d say it’s reasonable to assume that it ends up with a lot more in-scope PII than yours does.
In spirit, we also comply with almost all of the GDPR. However, some of its undefined edge cases prevent us from fully complying with it without an expensive re-architecture project, and re-implementation of some of our toolset. The areas we don’t comply with are incredibly minor, and I’ve seen some people arguing that we’d fall within the GDPRs limits of flexibility. However, that’s not how we manage risk. No matter how confident we were, being wrong could potentially end our business with fines.
As I have said repeatedly, for many small to medium sized businesses that don’t have many EU customers, there is simply no reason to implement GDPR at all. The costs can be quite high, and the risk of getting it wrong is enormous and not survivable. This is one of the many unintended (although entirely expectable) side effects of the regulation. All you’re trying to do is spread FUD.
Comments like this come across like a personal insult.
For you an others, please refrain from such comments I see it shutting down interesting conversations(that help me understand additional view points).
