It includes liability for any and all data handed off or handled by 3rd parties. In other words, google analytics, facebook ads, salesforce customer data, mailchimp, constant contact, that really useful startup. How can you guarantee they are in compliance? If they aren't, you are now liable.

Enforcement guidelines are ill-defined, and the definition relies on vague terms. For example, is retaining an IP critical to running your business? What if you're getting DDos'd? Now it is up to someone else to make that distinction, and you're dependent on them "being reasonable."

The policies required for PCI compliance are all straightforward too. But enforcing large sets of policies across an organization is a challenge, no matter how simple the actual policies are.

it’s a problem cos the regulation is vague and what you just said is Your interpretation of it... that doesn’t mean it would stand up in court of law...

Actually this has been a big problem in the cryptocurrency space. It's entirely too onerous to comply with the rather extreme regulations in the finance space so exchanges had to ignore them for the longest time. Some exchanges even have to move countries because it would be nearly impossible to operate "legally". Yet their services are still needed and if they didn't have this freedom and flexibility then the cryptocurrency space might not have had the tools it needed to grow and innovate.

But isn’t SOX for publicy traded companies only?

Oddly, Sarbanes-Oxley also had implications if you were a 501(c)(3) non-profit.

We had two major expenses: liability insurance for meetings and SOX insurance for the officers. Everything else was in the noise.

That's an optimistic view of dealing with government, that they would actually be reasonable and helpful. Many in the US have a decidedly pessimistic view of dealing with regulations and bureaucracy.

Uber versus Night School is an example of this. Uber: Ignore taxi regulations, get tons of VC, get rich while being awful people. Night School: try to work with government and play by the rules, fail, get used as a cautionary tale.

Source: https://psmag.com/economics/night-school-failed-because-it-f...

I think something akin to GDPR is necessary and good, but GDPR as written probably isn't it. I look forward to seeing how it works out in practice, and how it develops/is replaced, and in the meantime feel bad for the developers and customers that suffer through the unintended consequences and misfeatures of it.

After the law gets clarified some, I think you're right that it won't be bad for small players. But I wouldn't want to be one of the test cases.

Can you point me to where in the GDPR it talks about being given "advice and the opportunity to towards an amicable resolution"? (I'm not being facetious, I'm genuinely curious to read about it, if it exists)

My understanding is that the measures taken against GDPR infringements will very much depend on the good will of the relevant national authority.

And as a member of a EU country that for the last year has been constantly bending (when not breaking) the rules to repress and attack legitimate political reivindications, the relativism in the application of GDPR is something that I find very worrying.

No, he doesn't know that. And you don't either, although you might believe you do.

>> You know this is not what would happen

You don't know this.