Agreed. I think it's one of the biggest privacy achievements ever. We have been seeing a tremendous normalization of defiance with how user data is frequently unknowingly misused and it's time for correcting this. GDPR is a good start, hopefully US soon follows.
That's the crux of it. It's not asking companies to do anything they shouldn't have already been doing if they were conscious about security.
The problem is it's been blown completely out of proportion to a point where by son's child minder sent out letters asking for our permission to contact us if our child is unwell (Of course she should - that isn't unsolicited contact. She was already covered!).
Not quite actually - sensible practice from a security standpoint alone (as opposed to transparency) would be to have a delete but not a download button as it would make exfiltrating data with a compromised account easier. That is the flipside of power to the user - more exploitability. I don't blame them for the goal (right to know is a valid interest for consumers) but we have to acknowledge consequences if we want to avoid future errors.
The back up clearing involved would also be a pain in the ass and boost expenses of compliance (can't just use write only storage which nicely solves other problems) but it isn't insurmountable.
> The problem is it's been blown completely out of proportion [...]
Yeah, but blame that on the lawyers who wanted to cash in on this new regulation. I think only _very few_ people/business owners actually took the time to read the GDPR and think about whether all of that even applies to them.
Most just became a victim of the fearmongering around all of that.
I've seen a lot of scaremongering but none of that was from lawyers.
My observations was most of the negativity came from a combination of the press writing slanted articles criticising the EU (which is fairly typical for anything relating to the EU, it seems) and blogs from people who assumed the worst case and subsequently wrote a hysteria-driven knee-jerk opinion piece as a result. Those blogs, I've found, are the worst examples because they're more likely to spread like a virus where people say "if they're worried then I should be to!" Where as these days people can dismiss the press a little easier if it doesn't confirm their cognitive bias.
That's just my opinion from what I've observed though. I'm not trying to claim anything as fact here.
It's absolutely not a small cost. It cost the last startup I worked for around two weeks of development time, plus in many cases it prevents us (or adds massive restrictions) on collecting contact information from leads.
It has certainly affected the bottom line of companies like Facebook and Google, but they can afford to take the hit, not all startups can.
I'm not really disagree that companies "should" do it. But I'd argue one of the many reasons we have a shortage of big tech in the EU is excessive regulation restricting our ability to scale.
I'll take my data being protected over your ability to scale any day, and remember, if a US company wants to do business with EU citizens they still need to comply.
But unlike EU startups, US startups have the advantage of only having to to comply with EU regulation when they're at scale and profitable.
I actually like GDPR and would love it if it was made law worldwide, but right now that's not the case and with being EU only it comes at the cost of EU tech. And if the EU wishes to remain economically competitive with the US in the coming decades we're going to need tech and GDPR is yet another hurdle preventing us from achieve this.
Again, I'm not really arguing what should be, but from a purely pragmatic perspective I'd argue tech regulation isn't good for the already struggling economy of the EU.
Being GDPR compliant right from the start should be seen as an advantage over competitors.
GDPR can really be reduced to "privacy by design" and "privacy by default". If your business struggles with those two principles it's a business you'll probably not need.
The question is whether those costs were just bureaucracy, or just you actually having to spend the time to be responsible with user data. In my experience, it's 90% the latter.
>It cost the last startup I worked for around two weeks of development time
You spent two weeks solving technical debt, which you had ignored because no one was forcing you to actually play nice with people's data and it was convenient to you to do.
So your old company didn't properly care about how they handled my private data and the law made them care? Should we cry at how the evil EU made them actually have to properly handle my private data? That line alone is a good showcase of why GDPR is great.
That’s a straw man. Digital privacy doesn’t have immediate public health dangers. Nobody is going to actually die if your web browsing history is mishandled.
This is exactly what I love so much about the GDPR.
It hurts and sets up barriers when you want to collect data which is not needed for fulfilling the purposes of "doing your business".
Nobody keeps you from saving contact information and communicating it in that way. But collecting all kinds of data to build profiles and get on my nerves, because I wanted to test your software is getting more and more complicated. And that's good for (end) users privacy.
Protecting your customer's privacy is already a "cost and restriction" regardless of where you live; is this how you feel about all the regulation you have to conform to if you're processing payments?
Really I would prefer the payment system was robust enough that it would do no more harm than publishing your past shopping lists but that is a separate topic.
That has always frustrated me - we have cryptographic signatures. An order should involve only an invoice signed by the end user, the merchant checking it vs your public key and then submission to the credit card processor.
Even if done with "black box calculator functions" to the end user it should be layman usable.
It applies to everyone who wants to serve EU customers.
As for startups: depending on what kind of personal data you are collecting, being GDPR complicit shouldn't take more than a day.
If it takes longer you are building a business around personal data, and I think you should know your stuff (not just GDPR, but also what kind of data you are collecting and why).
> being GDPR complicit shouldn't take more than a day.
either you're overly optimistic, or you have some 100x rock star doing the impl. because it took over 1 year to implement all of the GDPR required features for me, and we don't even store that much private data!
It took me 2 days - 1 day to research the requirements, and 1 day to make a few changes, largely simply to wording of our privacy policy.
How long it takes obviously depends on your data - but also on how important privacy and security is for you already. In my case, privacy was already important, so there wasn't much to do.
Unless you were in charge of GDPR compliance for an enterprise-size company, I don't know how you could possibly take a year about it, even if you had previously not cared a jot about your user's data?
It took me half a day: Had to download a GDPR pivacy policy template, read through the thing. Double check all the sections applied to what I was doing (cookies, etc) and fill in my details.
What have you spend 1 year doing if I may ask? Did you previously store passwords in plain text and you had to update that?
I stopped questioning downvotes. It's just plain stupid and has no reasoning after all. But people will resort to the commenting rules or something like that, because they don't understand sarcasm and think your comment is "low quality" or something like that. It's puzzling.
> If it takes longer you are building a business around personal data, and I think you should know your stuff (not just GDPR, but also what kind of data you are collecting and why).
And you should probably pause and ask whether your proposed business will provide a net benefit to the world, or if it's just an attempt to make money regardless of the consequences to society.
Not to say there aren't any worthwhile businesses to be created around personal data, but experience suggests that some skepticism is in order.
