Hooray! Great job, what an amazing success. High fives all around...

The bureaucratic make work project has created thousands of jobs for pencil pushers and lawyers, it has imposed significant hurdles for small and medium companies further strengthening of the big tech companies' market positions, it has done nothing to protect the privacy of individuals in any meaningful way (evidenced by the constant stream of data leaks from FB and others), and finally it probably hasn't collected a penny of the 56M Euro fines imposed.

It should also be noted that 56M Euro may seem like a big figure but it is likely 2 fines, one for 50M to Google and then some amount to another big-tech company, inconsequential. However, they don't report to cost incurred by all the small companies.

@nickMNS entirely agree. Its far too much of a burden for SMEs who are not the problem. There is no good reason they could not exempt companies with (comparatively) limited amounts of user data and not involved in trading personal data. They just do not care about small business (as with things like VATMOSS).

Its far too much of a burden for SMEs who are not the problem. There is no good reason they could not exempt companies with (comparatively) limited amounts of user data and not involved in trading personal data.

Agreed. In the other hand, you can see that no SME are targeted by investigations. It doesn't mean that SME cannot be liable and get problems of-course, but, things are not automatic. Data protection authorities know how to make the difference, and they focus their work on big platforms. I am 99% sure that if tomorrow, such authority comes to you because of an issue, they won't fine you. They'll just issue you a warning, and point to you what you are failing to do.The regulations have been made to include all businesses by "anticipation", because you know how some are smart at abusing laws and playing with the words. So if an SME is doing something very fishy , they'll get threaten like the big players. Otherwise, I am confidence that if a SME is showing good will and showing it's doing its best , this is fine. So don't freak, try your best, and this will be fine.

Now, to have a positive vision of the GDPR, this is also making professionals to be aware of data protection. I am sure that lot of businesses didn't pay too much attention at how they were handling and protecting data. Now, they are. And this is good for everybody.

you can see that no SME are targeted by investigations

Where exactly can you see this? It is much easier for the bureaucrats to promote their action against the big player than the small companies. They reported 94000 complaints, those are not all targeted at Google and Facebook.

I think it is true that they are not really interested in going after SMEs BUT the lack of an explicit exemption means SMEs do not want to take the risk so they spend the money anyway.

A number of my clients have asked me to make changes to comply with GDPR.

On top of that, it does not stop with websites - CRMs for example need to comply, so do all sorts of other internal systems.

500,000 New data protection officers

Pardon? Half a million new "employees", presumably by the EU?

Half a MILLION?

Where, Ireland?

The purpose of any bureaucracy is to grow itself. :)

Yeah, especially when it's someone else's money but still, 1/2 million new officers, that's almost 1/3 the size of the UK NHS and everyone here knows someone who works in the NHS yet a GDPR officer?

It can't be Ireland since their unemployment rate in April was 4.6% with a total of just under 130,000 and a year ago was 5.9%, clearly not enough bodies to go around however I did find this probable explanatory article:

According to the International Association of Privacy Professionals, more than 500,000 data protection officers have been appointed at firms across the world

Ah, so that makes things clearer, 1/2 million new jobs have been "created" by companies to try and comply with GDPR ... Darn good job that it's a tax deductible expenditure:-)

Ha! The chuckles just keep coming!

Some pols in Brussels decide things need to be this way, and the rest of the world has to take on new expense to address the buffonery. That's not job creation, that's killing companies by the death of a 1,000 unnecessary employees!

</satire off>

I detect some are not in favour of the GDPR.
Me I like that organisations holding my personal information now ought to take some care with it.

@Mark_A I (and I think other people) do not have a problem with the principle behind GDPR, but with the implementation.

It is needed to control companies like Facebook, but it is applied to everyone. A small business which stores server logs and the personal details of a few thousand customers, and uses the data only iternally is not a problem.

I've slept since then, but isn't there a threshold where GDPR kicks in?

Seriously, there have been so many conversations/articles that this old curmudgeon could have "false memories" ...

(off to read GDPR again)

@graeme_p

A small business which stores server logs and the personal details of a few thousand customers, and uses the data only iternally is not a problem.

We are an SME and we retain logs, it is noted in our public privacy policy that we retain logs for iirc 2 years for website management and tracking purposes .. after which they are destroyed. We feel we comply fully with GDPR.

@Mark_A you are a long way off this: [tools.ietf.org...]

It is much harder for people who have logs AND customer information - the latter is a much bigger problem.

@tangor, [ico.org.uk...]

It's not even about being GDPR compliant. We're B2B, and the biggest headache is when a Corporate asks you to demonstrate your GDPR compliance before they buy/contract with you.

Part of their own compliance is ensuring supply-chain compliance. But everyone has a different form, so you can't copy-paste.

Here's a less-onerous one I got today:

Please demonstrate your organisation’s approach to your obligations under the General Data Protection Regulations (GDPR) in relation to person identifiable data you will collect and process during the term of this contract. In particular please address how you will:

• Have security in place that is consistent with the ICO’s security guidance [ico.org.uk]
  
• Co-operate with supervisory authorities (such as the ICO);
  
• Ensure the security of data processing;
  
• Keep records of processing activities
  
• Notify any personal data breaches to the data controller

Addressing the SME question, it is extremely helpful to remember that large bureaucracies necessarily "consult" industry to gain expertise. When the bureaucracy looks for advice, they call it consulting. When Big Business responds, it is best to classify it as Lobbying.

Big Business lobbies on it's own behalf. Not for the sector's behalf, strictly its own. SMEs are systemically disadvantaged as a result of regulation, because that regulation is designed by incumbent businesses to entrench their position. Big business designs the rules to ensure challengers fail.

I am not cynical when I hear Facebook or Google say they will work with regulators to "protect" consumers. Of course they will. And the regulation produced will stipulate that the consumer protection offered is exactly the kind that suits Big Data, and hampers the growth of challenger upstarts.