The challenge is absolutely not technical, so 2 years makes no difference. The challenge is that GDPR is essentially impossible to comply 100% with, and absolutely impossible to comply without incurring extra costs.
GDPR is the PCI of the privacy world, 99% of companies will be non compliant if audited, but 99% of companies wont be audited. The difference is unlike PCI anyone can launch claims against companies, including for malicious reasons like taking out a competitor, and political reasons like a eurocrat taking a disliking to a particular company.
What are these companies doing that makes it so hard to comply?
I've been involved in GDPR efforts at work and all the policies seem fairly straight forward to me. If you're not doing shady shit and you're upfront with your users what you are collecting the data for, how long you keep it and what access policies you have set up.
It includes liability for any and all data handed off or handled by 3rd parties. In other words, google analytics, facebook ads, salesforce customer data, mailchimp, constant contact, that really useful startup. How can you guarantee they are in compliance? If they aren't, you are now liable.
Enforcement guidelines are ill-defined, and the definition relies on vague terms. For example, is retaining an IP critical to running your business? What if you're getting DDos'd? Now it is up to someone else to make that distinction, and you're dependent on them "being reasonable."
And if IP is the only PII you keep and if you destroy IP logs after let's say 6 month and write something about that in your TOS, you're good. And even if you're not, if hey contact you and are not happy with your way of handling data, they will warn you then offer solution.
You can even self-report if you're not sure you handled the privacy well, and they will point you the stuff you have to work on (and give you month to do that).
I Understand Americans are afraid of fine and lawsuits, but please don't be afraid. Read GDPR statement from regulatory instances, they are here to help business too.
> I Understand Americans are afraid of fine and lawsuits, but please don't be afraid.
I think GDPR is short-sighted from a game theory perspective and will short-change European citizens.
When I sold software online, Europe was < 5% of my sales. Why take on business-ending liability risk for that amount of sales? Sure, maybe I'd do these things anyway, but once you open that pandora's box, you're relying on favorable interpretation and the goodwill of regulators.
Having seen what happened in the US with civil asset forfeiture, well-meaning laws can have their purpose bent, and goodwill can be perverted. Why take on that exposure?
>It includes liability for any and all data handed off or handled by 3rd parties.
Why would you hand of the data of your customers to someone that won't/can't prove to you that they will be in compliance with the current legal requirements?
Honestly that is the entire point of the GDPR, don't misuse customer data and don't hand it over to 3rd. parties unless the customer allows you to.
> It includes liability for any and all data handed off or handled by 3rd parties.
Good. Outsourcing violations, ethical or legal, shouldn't get you off the hook for them.
Besides which, what are you doing handing off stuff that's important to your business without knowing what's being done with it? Not a recipe for success. And if it's not important, then...
The policies required for PCI compliance are all straightforward too. But enforcing large sets of policies across an organization is a challenge, no matter how simple the actual policies are.
it’s a problem cos the regulation is vague and what you just said is Your interpretation of it... that doesn’t mean it would stand up in court of law...
It's not possible for a financial institution to exist without incurring 'extra costs' for SOX and KYC compliance. And yet they all do. That pesky regulation seems to be useful.
Actually this has been a big problem in the cryptocurrency space. It's entirely too onerous to comply with the rather extreme regulations in the finance space so exchanges had to ignore them for the longest time. Some exchanges even have to move countries because it would be nearly impossible to operate "legally". Yet their services are still needed and if they didn't have this freedom and flexibility then the cryptocurrency space might not have had the tools it needed to grow and innovate.
It's not 2 years though. European countries have had variations of the law for decades. If you ever bothered to comply with those, you'd have had literally decades and very little cost to comply with GDPR.
GDPR is the PCI of the privacy world, 99% of companies will be non compliant if audited, but 99% of companies wont be audited. The difference is unlike PCI anyone can launch claims against companies, including for malicious reasons like taking out a competitor, and political reasons like a eurocrat taking a disliking to a particular company.