Many data protection regulations, GDPR included, have exemptions that ensure that smaller organizations are not impacted until they are sufficiently large to bear responsibility for and provability of their actions.
I’d agree that theoretically the regulations could be made more complex in order to mitigate their regressive second-order effect. I believe that familiarity with the evolution of regulation in other domains should disabuse one of the idealistic notion that such complexity would “ensure that smaller organizations are not impacted” by the regulation. In practice, such complexity has a way of inhibiting companies from growing, for one thing because it creates levers which the incumbents can co-opt to make life more difficult for their aspiring competition.
ihinsdale|6 years ago