Most of these companies wouldn't know how to make much use of the data anyway. My experience working with companies and analytics (even did an analytics startup some years back) is that they haven't a clue about how to actually use it and just heard that more data is somehow better.
That to me sounds like they're most likely to sell the data, since they don't know how to use it themselves. Better these companies have less data, not more.
Companies still need some basic data for whatever problem they're solving, right?
As an example, let's say I want to launch a blogging platform. You need some basic tables (data) like User, Posts, Tags, etc. I'd consider this data the business needs for core business. Does there need to be some GDPR compliance thing?
Anecdotally a dumb app I built I was worried about EU visitors and just wanted to block them instead of figure it out (yea yea maybe that's not the right approach but I'm sure the sentiment is common).
> Does there need to be some GDPR compliance thing?
Yes. GDPR is about data protection. If you want to do business in its jurisdiction, then you need to know the laws.
In general, GDPR states that you cannot store anything that isn't strictly necessary, unless you outline what you want to collect and what it will be used for in your data policies. You are not allowed to use it for anything else and once its no longer needed for the outlined use, it must be removed. Personally identifiable information has some additional rules (and its important to note that anything could become PII if combined with something else, that would, together, allow for someone to be identified).
My own (EU-based) country's data protection websites states:
1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned, or some other legitimate basis laid down by law.
3. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
4. Compliance with these rules shall be subject to control by an independent authority.
This means that every individual is entitled to have their personal information protected, used in a fair and legal way, and made available to them when they ask for a copy. If an individual feels that their personal information is wrong, they are entitled to ask for that information to be corrected.
Unfortunately, that's a big cultural shift that a lot of people appear to be having trouble with.
We all really enjoyed the days when we could throw together a project and focus on the fun parts. Then came all of the other things we should worry about -- security and scaling, which are at least technical problems, but then things like privacy, moderation, and even legality.
It's fun to put up a file-sharing service; it's less fun to think about the fact that it can be used to share child porn. It's fun to have a new chat site with no filters. It's less fun when people use it to plan crime.
We don't want to face that. We want to make it Not Our Problem. And here, now privacy is another one. We used to just gather up user data and we didn't plan to sell it or lose it so why did we care?
The Internet is a lot less fun than it used to be. Or rather, we just managed to ignore a lot of the problems, usually because we weren't the ones affected by them. And so we didn't fix them ourselves, so laws got passed instead, which are never as good as what we'd have come up with ourselves.
So yeah, it's time for people to learn stuff before starting a business. That's no fun. Too bad.
But why were you afraid? I see some US based sites refusing EU visitors due to GDPR,but unless you sell their data down the road, there's not much to be afraid of.
In practice though with the GDPR, sites either just 403 everyone in the EU to avoid complying, or just shower you in javascript cookie notifications, making your browsing experience more bloated, slow and insecure.
Not sure GP's meaning, but just guessing here, maybe it trains people to hit "I agree" to everything without understanding, so when they get an actually security warning they just click right past it.
GDPR doesn't dictate anything about styling or anything, it just says you have to ask for consent, you're not allowed to bundle consent with anything else (eg you can't say that I have to give consent for me to be able to use the site) and IIRC it does even have a clause about consent having to be asked for in a clear understandable form.
I'm pretty sure that everyone doing our (b) is not compliant at all. The problem is that GDPR isn't being enforced very well.
> GDPR really should have dictated "agree" and "disagree" be of equal visual weight and button styling and dictated disagreeing to be a 1-click action.
It does mandate something to that effect: the user should not have to spend more effort to disagree than to agree.
The GDPR is not a law that only regulates the internet.
The GDPR applies to all processing of all personal data regardless of whether that's pieces of paper in a filing cabinet or an entirely online social network.
That's not true unfortunately. It has a blanket exception for anything remotely government related (meaning government itself and anyone the government authorizes), and in fact guarantees far more and wider access to your most sensitive data, not less. And it allows the government to authorize whoever they please to not just keep more data about you, tighter and more closely linked together, but to keep this from you, and to prevent you from doing anything about it. Which, since the process now exists, they have prodigiously used.
Insurance? Private doctor? Youth services? Family (or any other) court? Pharmacy (in most of Europe)? Police (even in the most trivial of cases, and without judicial approval, and of course without verification or recourse)
Worse than that: the exception goes further than merely keeping data as well. Insurance company wants to change/add to your medical record? Immediately? Doctor? Court? Police? All can change your medical file, both adding and deleting (sometimes limited to what they added themselves). YOU want to change it? Not possible!
Weird since insurance company access to your data, and "the right to be forgotten" was one of the main selling points of this legislation, but since insurance companies are semi-government in almost all of Europe these days, a lot of them fall into the blanket exception.
And of course, you yourself ... cannot access this data. You cannot see it (sorry "you can, unless there's a reason not to let you see it", wanna bet there's always a reason?). For particular parts (espectially names, for example which doctor put something there about you are kept secret from you). Thankfully these institutions hate eachother, so there is some protection left because if anyone wants this data, they have to file requests in 5 different places. But there is no more legal protection against this happening.
It is now far easier, in the Netherlands, to get a serious crime stricken off your judicial record than, say, getting a doctor or pharmacist's claim that you falsely came in for a heart problem out of your medical file, say to threaten or attack them for painkillers, or even just getting the name of which doctor put that there (and of course such misleading information can kill you if you ever really do have a heart problem, and god help you if you need pain killers or ...)
GPDR protects you from Amazon offering you gift ideas for your kids' birthday if you object to that. You want a mental health stay 40 years ago to not be used in a family court case against you? THAT it makes MUCH easier. Faking such a thing and using it in a court case against you, that, too, it makes a lot easier.
I've never heard this criticism of GDPR before, and a couple of cursory Google searches didn't yield anything supporting what you're claiming. Do you have a source for that?
Like everywhere else, medical and "social work" data (and keep in mind that both the medical and social workers can lock people up for extended periods of time, even in isolation. Extended means decades, even until death, and that under circumstances that are justified using records on which that applies. You can't access, remove or change that data, but it can (and is in practice) used to lock you away legally indefinitely)
Insurance:
https://ico.org.uk/for-organisations/guide-to-data-protectio... (NHS is the insurer in Scotland. Essentially, ANY data that can be used for legal purposes (whether to sue you or to defend itself or any decision it made) is exempt from GPDR. No matter how personal the data. Technically this may even cover publishing such data.
I realize this is for one specific part of Europe, but there are analogues everywhere. And, frankly, look at the size of that list. It's only the beginning, on the left, click open, "right to X" and there's yet another list of exemptions.
Are you in the EU? I'm a developer in the EU and that is patently not true. Developers have to have mechanisms in place to delete gdpr data when required and not store data that's not required for you goals.
In my experience gdpr puts a real and meaningful curb on the strong impetus to gather everything and sell it.
> Developers have to have mechanisms in place to delete gdpr data when required and not store data that's not required for you goals
Purely anecdote, but zero companies I know in Germany, Italy or France are doing this. (The ones in Switzerland are.)
There is a cosmetic fix that produces an email so there is something to show a regulator if they come knocking. The logic being investing anything more than that is a crap shoot, given nobody knows how each of the EU’s 28 data regulators will interpret the rules.
You must work with some pretty poorly organised companies. I work with a lot of French, Belgian and German companies and they pretty much all have proper procedures and tools for this.
In France in particular the right to access/change/delete any and all data a company has on you was there long before GDPR (by decades) so most serious company are well used and prepped for it.
They range from start-ups to national champions, but I won't disagree with you on the poor organization of most European companies point. Everyone one re-papered existing systems to some degree of compliance. Given nobody agrees on what full compliance is, they're all right in their own ways.
I wasn't making a point about European companies in general but about the ones You work with personally. Because they don't seem to be like the usual norm for European companies, that do have procedures and tools for this, unlike in your experience.
Also pure anecdotal, I have had GDPR interactions with EPIC Games (asked them to delete my account) and Blizzard Entertainment (asked them to retrieve my data). Both went well.
The interaction with EPIC was manual, I had to send an email and got back what it looked like a personalized e-mail. Account seemed to be deleted.
With Blizzard it went a bit different. They do have online automated tool to download your own data, but with a twist: they refused to provide what they consider security risk information. They did provide a lot of data (even years old chat logs) but did not provide the information I was looking for: list of processes running on my PC, which they scan periodically, as an anti-cheating mechanism. I went further and filed a GDPR infringement complaint to the national office but it failed. Last option was to sue, but I gave up.
It failed because, based on the evidence I have submitted to the national authority for data protection (the national entity enforcing the gdpr), they were not able to rule in my favor. In the e-mail exchange between me and Blizzard, they declared they store process data anonymized, but I don't believe it, since based on that data they decide to ban real game accounts (which are linked to real personal data). Going to trial just to try to prove a point wasn't worth it for me, but at least I have seen the national authority for data protection actualy reading the documents I have submitted, fundamenting their ruling with quotes from them.
Everyone did substantial work. But the net effect was making binders of policy and PowerPoint presentations. It’s an “impress a regulator” scheme. Not a hard requirements test, nor a private liability one.
But from what I have seen, most of that time was spent on the legal and policy site, not on actually implementing the technical changes required to properly handle, store and delete data.
I can absolutely guarantee you that the overwhelming majority EU companies could not properly carry out a GDPR deletion request.
That's great news if any of these companies cannot or won't reply to your GDPR Deletion Request you can grab a default payment of at least 1k Euro just for that. Please name them, maybe i hit the jackpot with one of them
My previous client is a reasonably large Swedish company with a big German presence and they took GDPR (and data protection in general) EXTREMELY seriously. I know because, outside of the training, I sat in on a few audit meetings.
That to me sounds like they're most likely to sell the data, since they don't know how to use it themselves. Better these companies have less data, not more.