As a EU citizen I like my personal data protected. I left facebook and all other networks except Twitter and usually do not give data for any coupons in shops.
GDPR is a mess not from the goal but the implementation.
Currently no one knows how to implement GDPR correctly - e.g. how to exchange business cards, how to store information from sales leads etc.
Compare this with PCI compliance (which is about CC data protection) and it's very clear if you're compliant and if you are not and what to do.
For now this has no effect because data protection agencies - at least in Germany - are overloaded, but will lead to a lot of fines for companies that want to do everything the right way.
Article 13 is the same mess. Good in intention of making YT pay for the content they use and which is copyright protected, but _impossible_ to implement in it's current form.
> Compare this with PCI compliance (which is about CC data protection) and it's very clear if you're compliant and if you are not and what to do
As someone with an interest in this space, I can say that the PCI DSS is not as clear as you say - there is plenty that is ambiguous and open to interpretation, and often a pass/fail for each requirement hinges on your QSA's interpretation.
> Currently no one knows how to implement GDPR correctly - e.g. how to exchange business cards, how to store information from sales leads etc.
The only time I've seen it be a problem for people is when they are playing fast and loose with people's data.
I mean, exchanging business cards is (I would suggest) in invitation to start a conversation. I'm not personally worried about that. It's definitely not an invitation to store my data in a leads database indefinitely though.
Does not being able to indefintely store people's data in your database without getting permission first make your life harder? Good, that's the point.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
From: _Codemonkeyism@ycombinator.com
To: Bob@from.accounting
Subject: Great chat!
Hey Bob, thanks for handing me your business card the other day, can I add you to our sales database? We will contact you whenver we think we have some suitable widgets.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
From: Bob@from.accounting
To: _Codemonkeyism@ycombinator.com
Subject: Re: Great chat!
Take a hike _Codemonkeyism! / Sure, go ahead!
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Compare this with PCI compliance
I've done PCI compliance, it's largely bullshit IMO. It does certify compliance with something, but it's not a particularly useful way of working out wether a company is storing peoples data securely.
> but will lead to a lot of fines for companies that want to do everything the right way.
Well, we will have to see, but I doubt it. Sure, there will be companies that want to protect people's data, but can't for whatever reason (developer time etc.), but the solution there is "don't do it". If you can't secure people's data, don't store it. "It's a bit beyond our capabilities" isn't an excuse.
> Article 13 is the same mess. Good in intention of making YT pay for the content they use and which is copyright protected, but _impossible_ to implement in it's current form.
> The only time I've seen it be a problem for people is when they are playing fast and loose with people's data.
For sites not in the EU, see Article 27.
If you are not in the EU, and you processes personal data of people in the EU, and the processing is related to offering goods or services to those people (regardless of whether payment is required), Article 27 requires you to have a representative intheUnion.
Note: do not mix this representative up with the Data Protection Officer, which may be required by Article 37. DPOs are generally only required for pretty big data processors, and if you are required to have a DPO there is no geographic limitation on where they can be.
Article 27 doesn't apply if the processing is only occasional and doesn't involve certain especially sensitive categories, but it is not at all clear what counts as more than occasional.
Note: common system logs, such as Apache logs, include personal data (IP addresses). Logging such data is probably not a violation of GDPR, but that doesn't make it no longer count as personal data. It still counts and so you still have to follow the rules for sites that processes personal data.
It also won't apply if goods or services aren't being offered to people in the Union, but that too is unclear. You site merely being accessible from in the EU is not sufficient, but it is not clear what beyond that counts.
There is no need to be playing fast and loose with data to be totally unsure if Article 27 applies to you or not.
I sell software that is largely used for PCI Compliance, and I agree with what you say. A lot of our customers simply want "checkbox compliance" - they really don't care about increasing security, just that their QSA ticks the right box.
GDPR is a mess not from the goal but the implementation.
Currently no one knows how to implement GDPR correctly - e.g. how to exchange business cards, how to store information from sales leads etc.
Compare this with PCI compliance (which is about CC data protection) and it's very clear if you're compliant and if you are not and what to do.
For now this has no effect because data protection agencies - at least in Germany - are overloaded, but will lead to a lot of fines for companies that want to do everything the right way.
Article 13 is the same mess. Good in intention of making YT pay for the content they use and which is copyright protected, but _impossible_ to implement in it's current form.