(no title)

So it's ok for small companies to leak personal data?

Doctors' surgeries are small companies here in the UK.

The issue here is that literally every company across the world doesn't give a crap past the end of their nose and has abysmal data protection policies in place because it affects the bottom line. They introduced local legislation to help this and a few large fish got fined and that was it. Ultimately it wasn't worth doing anything about it because it wasn't an operational risk.

GDPR is about making it a major operational risk to do a shitty job. The rules should be the same for every company and the fines proportional, which they are.

The "sheer amount of rules" isn't a lot really and you owe it to your customers.

Conclusion: most of the anti-GDPR whiners are worried about spending on data protection and training because it hurts the bottom line. Change my mind?

> Conclusion: GDPR was made to help monopolies grow even larger and prevent smaller companies/start-ups from ever growing more than just a little bit. Change my mind?

The conclusion you should be coming to is that if Microsoft is doing this they will be hauled over the coals in a really quite painful way. Not this month or next, because the GDPR enforcers are snowed under at the moment.

As for the “rules” small businesses have to follow to be compliant, for the most part I strongly believe that they just codify the things people should be doing anyway: Thinking about how you collect users data, why you need it; how long you keep it for; how you secure it; who you pass it to - how they use it.

It’s not rocket science

> Change my mind?

1) regulators are bringing first rounds of sanctions against Google, Facebook, and large Banks.

2) the sort of data GDPR protects is typically only valuable for larger companies -- you're definitely not running a small business selling to <10,000 customers if your business model is selling data for, say, $6.18/user (Facebook's return).

It’s too early to tell wether large companies will be able to get away with this stuff under GDPR.

If your small company is "getting fucked over" because if privacy laws, you’re doing something shady in the first place.

> what is happening instead is that small companies, starrups, etc. are getting fucked over by the sheer amount of "rules" they have to follow and implement

Nope. The GDPR is a European-style regulatory framework: it sets out principles and expects people to apply them in a reasonable and sensible way. The national regulating agencies are there to steer organisations into doing the right thing, rather than beating them up when they don't. I have literally telephoned the UK regulator and had a polite conversation when I needed a clarification of a particular point in their (most clearly written) online guidance.

The regulators do have strong powers so that large and well-funded companies can't just deploy lawyers to get away with things. Cambridge Analytica is one obvious case: they tried to play games with a GDPR regulator, and got a very hard smack-down.

That's how most regulations work out.

https://en.wikipedia.org/wiki/Regulatory_capture

That is probably a standard side-effect, but I doubt the GDPR was proposed with the intent of helping the Google, Facebook and Microsofts of the world.

Now that I think about it, yeah, I think Microsoft is probably gonna land in some big trouble with GDPR because of this. There's not really a way out of it because of how little control they give the user. I think it's just going to take time, because there's so many high-profile GDPR cases going on right now.

Plus, it's not like the big companies can afford to get hit by GDPR in a way that small companies can't. GDPR fines are based off of the company's revenue, which works well for preventing Microsofts from making more money from doing it anyway and paying the fine.

Do you have or plan to have a product?

What data are you collecting and do you share/sell it?

Do you collect more then you need? If yes why and is it hard to provide the option to the user not to collect non essential data ?

What part of GDPR is the one that is giving you a lot of work and you think is a disadvante for a small startup? If the answer is that I want to move fast and not think about securing the data, making it easy to delete etc then moving fast is not an excuse, you should secure the data from the start, follow the laws when the data is leaked etc

Regulation in general tends to be a regressive tax. Larger companies have the bureaucratic overhead to handle it and can also often lobby or litigate their way around it. If they do get tripped up they can pay the fines or hire lawyers. Smaller companies have neither the time nor the money to deal with regulatory complexity.

GDPR really should only apply to companies beyond a certain size. Or at least, the requirements for small companies should be less stringent.