GDPR Resources
-
@scottalanmiller said in GDPR Resources:
@kelly said in GDPR Resources:
Taking a step back from the cost of going from where we to GDPR compliance, or the enforce-ability of the regulation on non EU companies, I like the premise of GDPR. There is nothing in US law that even comes close to protecting the privacy of citizens. There may be overreach, and things that are impossible from a technical/cost perspective, but it is fundamentally a step in the right direction in my opinion.
I'll agree there. I like the premise. But I feel that it needs to be handled extremely carefully. Ignoring international issues, and the lack of regionality on the Internet, but the bigger fear that I have of GDPR-like legislation is that they are trivial for giant companies to implement but crippling for small ones. GDPR could quite easily be abused to keep small competitors from entering the market. Making it costly or dangerous to not be a primary player with deep pockets on the Internet.
Have you read what has to be done to achieve compliance? It is expensive for a company to go from nothing to fully compliant. I will grant you that. However, from what I've read so far (could be missing some things due to ignorance here), if a company starts with it as their basis for handling data it adds less than HIPAA or Sarb-Ox. I'm guessing that most companies that are already compliant with a heavy duty US regulation are probably only a few steps from GDPR compliance.
-
@kelly said in GDPR Resources:
@scottalanmiller said in GDPR Resources:
@kelly said in GDPR Resources:
Taking a step back from the cost of going from where we to GDPR compliance, or the enforce-ability of the regulation on non EU companies, I like the premise of GDPR. There is nothing in US law that even comes close to protecting the privacy of citizens. There may be overreach, and things that are impossible from a technical/cost perspective, but it is fundamentally a step in the right direction in my opinion.
I'll agree there. I like the premise. But I feel that it needs to be handled extremely carefully. Ignoring international issues, and the lack of regionality on the Internet, but the bigger fear that I have of GDPR-like legislation is that they are trivial for giant companies to implement but crippling for small ones. GDPR could quite easily be abused to keep small competitors from entering the market. Making it costly or dangerous to not be a primary player with deep pockets on the Internet.
Have you read what has to be done to achieve compliance? It is expensive for a company to go from nothing to fully compliant. I will grant you that. However, from what I've read so far (could be missing some things due to ignorance here), if a company starts with it as their basis for handling data it adds less than HIPAA or Sarb-Ox. I'm guessing that most companies that are already compliant with a heavy duty US regulation are probably only a few steps from GDPR compliance.
Yes, but proper HIPAA or SARBOX are huge expenses that normal SMBs don't face. Those are things that only affect larger or specialized businesses. GDPR hits individuals.
Take @gjacobse who likes to do HAM radio as a hobby on the weekend. He spins up a website for his hobby. It's not a business, has no revenue, isn't intended to harvest and process data about anyone, but might get into a situation where simple free or personal or hobby sites are on the hook for potentially large overheads.
No way could any normal SMB handle SARBOX.
-
@scottalanmiller said in GDPR Resources:
@kelly said in GDPR Resources:
@scottalanmiller said in GDPR Resources:
@kelly said in GDPR Resources:
Taking a step back from the cost of going from where we to GDPR compliance, or the enforce-ability of the regulation on non EU companies, I like the premise of GDPR. There is nothing in US law that even comes close to protecting the privacy of citizens. There may be overreach, and things that are impossible from a technical/cost perspective, but it is fundamentally a step in the right direction in my opinion.
I'll agree there. I like the premise. But I feel that it needs to be handled extremely carefully. Ignoring international issues, and the lack of regionality on the Internet, but the bigger fear that I have of GDPR-like legislation is that they are trivial for giant companies to implement but crippling for small ones. GDPR could quite easily be abused to keep small competitors from entering the market. Making it costly or dangerous to not be a primary player with deep pockets on the Internet.
Have you read what has to be done to achieve compliance? It is expensive for a company to go from nothing to fully compliant. I will grant you that. However, from what I've read so far (could be missing some things due to ignorance here), if a company starts with it as their basis for handling data it adds less than HIPAA or Sarb-Ox. I'm guessing that most companies that are already compliant with a heavy duty US regulation are probably only a few steps from GDPR compliance.
Yes, but proper HIPAA or SARBOX are huge expenses that normal SMBs don't face. Those are things that only affect larger or specialized businesses. GDPR hits individuals.
Take @gjacobse who likes to do HAM radio as a hobby on the weekend. He spins up a website for his hobby. It's not a business, has no revenue, isn't intended to harvest and process data about anyone, but might get into a situation where simple free or personal or hobby sites are on the hook for potentially large overheads.
No way could any normal SMB handle SARBOX.
This thread has gone on a long time. I am tired of trying to explain GDPR. Your questions have helped me research deeper than I might have otherwise. I am grateful for that. If you have something substantive to contribute with links so that we can all learn I would welcome your input. However, I am done trying to explain things to you @scottalanmiller. Nothing personal. I like you as a person, and I respect your perspectives on many things, but how you're handling this conversation is wearing.
-
@kelly said in GDPR Resources:
However, I am done trying to explain things to you @scottalanmiller. Nothing personal. I like you as a person, and I respect your perspectives on many things, but how you're handling this conversation is wearing.
Sorry, honestly trying to learn here. I guess there is a lot of information about GDPR that everyone knows that I just don't understand. But where is everyone learning so much about it?
-
@scottalanmiller said in GDPR Resources:
@kelly said in GDPR Resources:
However, I am done trying to explain things to you @scottalanmiller. Nothing personal. I like you as a person, and I respect your perspectives on many things, but how you're handling this conversation is wearing.
Sorry, honestly trying to learn here. I guess there is a lot of information about GDPR that everyone knows that I just don't understand. But where is everyone learning so much about it?
That was the point of this thread. I have posted a link to every single resource I have used to learn about with the exception of this one (now that I think about it): http://www.lockelord.com/newsandevents/publications/2017/12/are-we-covered.
-
So what's the conclusion here?
Does this only effect US companies that target goods or services to EU member populations?
-
@obsolesce said in GDPR Resources:
So what's the conclusion here?
Does this only effect US companies that target goods or services to EU member populations?
Yes, but the targeting thing is fuzzy.
-
@kelly said in GDPR Resources:
@obsolesce said in GDPR Resources:
So what's the conclusion here?
Does this only effect US companies that target goods or services to EU member populations?
Yes, but the targeting thing is fuzzy.
You either sell physical goods to people/businesses in EU countries, or you don't. That's 100% clear to me. If you do, you most likely have financial related information on them, in which case, it seems likely GDPR applies.
That's what I'm thinking, but I'm not a lawyer and don't think it's up to me to determine which international laws apply to us and which one's don't, including compliance.
All I can do is familiarize myself with it enough so that when the lawyers and Execs do figure it all out, I'll know what I can do to help the business in IT related compliance solutions if or when required.
I do agree that there are other scenarios that aren't so 100% clear as I seen in earlier posts here.
-
@scottalanmiller said in GDPR Resources:
@kelly said in GDPR Resources:
However, I am done trying to explain things to you @scottalanmiller. Nothing personal. I like you as a person, and I respect your perspectives on many things, but how you're handling this conversation is wearing.
Sorry, honestly trying to learn here. I guess there is a lot of information about GDPR that everyone knows that I just don't understand. But where is everyone learning so much about it?
That makes sense though. I found a bunch more information here: https://www.csoonline.com/article/3202771/data-protection/general-data-protection-regulation-gdpr-requirements-deadlines-and-facts.html
But if a company is US based (no physical or registered presence in the EU), can they even do anything about it? I would think not... unless they can somehow stop a U.S. based company from selling products or services there until some kind of fine is paid.
-
@obsolesce said in GDPR Resources:
@scottalanmiller said in GDPR Resources:
@kelly said in GDPR Resources:
However, I am done trying to explain things to you @scottalanmiller. Nothing personal. I like you as a person, and I respect your perspectives on many things, but how you're handling this conversation is wearing.
Sorry, honestly trying to learn here. I guess there is a lot of information about GDPR that everyone knows that I just don't understand. But where is everyone learning so much about it?
But if a company is US based (no physical or registered presence in the EU), can they even do anything about it?
This was addressed in the thread: https://mangolassi.it/topic/16992/gdpr-resources/75.
-
@kelly said in GDPR Resources:
@obsolesce said in GDPR Resources:
@scottalanmiller said in GDPR Resources:
@kelly said in GDPR Resources:
However, I am done trying to explain things to you @scottalanmiller. Nothing personal. I like you as a person, and I respect your perspectives on many things, but how you're handling this conversation is wearing.
Sorry, honestly trying to learn here. I guess there is a lot of information about GDPR that everyone knows that I just don't understand. But where is everyone learning so much about it?
But if a company is US based (no physical or registered presence in the EU), can they even do anything about it?
This was addressed in the thread: https://mangolassi.it/topic/16992/gdpr-resources/75.
Didn't see that.
But, wow... I'm in complete agreement with SAM's reply to that. Wtf.