Because GDPR allows for liquidating fines, even for Google. I believe it has a cap of 2% annual global turnover, per infraction, or something similar.
Problem is, GDPR is not enforced. I haven't heard of small companies being investigated, let alone having any fines imposed, even when blatantly violating GDPR.
A few hundred fines in a union of a half a billion people.Right. I'm based in the UK and from my own professional experience dealing with GDPR and ICO,all I can say that companies can and do play pretty wild with data because the reprecussions are simply not there. Nobody is busting your door with fines unless you do outright absurd things+ backlog of cases is so long that by the time someone will start looking into it, you may not even be in the business anymore.
It’s the law, and it places undue burden on small companies that may not have the technical resources to modify their site/apps/data as expected, as many of them contracted out the work initially at great expense.
An email address is considered PII, so if users request their data be deleted, the small business is honest and says they can’t, and the user and others raise this to the government, you think that small company won’t be fined? That company, worried about doing things illegally, may end up giving a bunch of money to a contractor to fix their application- and for what? To allow users to request that their email address be anonymized or removed? That’s stupid.
If a small business cannot delete customer email address from their database, then it does not deserve to survive. It is not a rocket science and it is not unaffordable to have this functionality even in a custom solution.
I think you are describing very hypothetical situations.
If you know how to get a company fined, could you please share, so I can report and have action taken against companies that violate and misuse personal data?
Here(1) you have a tracker with (most) fines due to breaking GDPR. In my country there is a local office (all EU states must have one) and all citizens can file online complaints. In 2-3 weeks we get feedback. Real feedback. I have seen electricity companies being fined for sending the electricity bill to the wrong person by e-mail, thereby violating personal info security. It's all on this website.
Since you want everyone to be fined, why not start with YCombinator? You can ask them for a list of all of their PII removal requests and to see proof that it was all removed.
I’m sure that’ll go over well.
Then maybe you can submit an Ask HN to see how many startups will self-report to you.
There are over 26M small businesses in the EU. You’d better get started...
By the way, GDPR isn’t just about misuse of PII, it’s about use of PII after it’s been asked to have been removed; and most sites use email addresses as usernames which are PII, so that’s all over the application logs, comments, etc. and when people submit a PII removal request, you can’t share or store the PII in the request itself, so better not use Slack, email, etc. and accidentally refer to the PII to be removed. If you do and need to follow-up again with clean-up, don’t refer to it then either, or you could get stuck in a endless loop of PII removal. Also, how do you know you removed the PII of the user who didn’t specify all of it I’m the removal request? You ask them for it- but does that allow the PII they sent at that point to be kept? I don’t know!you know why? Because it’s not fucking defined in the law clearly enough. What if they requested removal of data that wasn’t their PII?
Because GDPR allows for liquidating fines, even for Google. I believe it has a cap of 2% annual global turnover, per infraction, or something similar.
Problem is, GDPR is not enforced. I haven't heard of small companies being investigated, let alone having any fines imposed, even when blatantly violating GDPR.