THE END OF THE WORLD AS WE KNOW IT

There are many articles written about GDPR every day, and though most are terrible, the reasonable reaction is to recognise this after a couple of paragraphs and then move on. Occasionally it's worth tweeting or putting a LinkedIn message about it for the benefit of connoisseurs of scaremongering nonsense. When I read Richard Stiennon's article for Forbes, I was so struck by the number of exaggerated and inaccurate claims, I felt that a more detailed response was appropriate. In my humble opinion as someone who has been studying the GDPR for few years now, Stiennon's article is hysterical garbage. You may wish to judge for yourself by reading it, but I have selected some elements that I felt needed attention.

by May 25, 2018, they have to comply with the most intrusive technology regulation ever.

It's not a technology regulation and much of it already applies in Europe. We're still here.

GDPR applies to any company that collects data on EU residents.

It applies to any company that monitors EU residents or offers them goods or services.

-72 hour breach notification. An organization will have only three days to disclose to the Data Protection Supervisor when they learn of a breach.

It's the local Supervisory authority in their jurisdiction, not the EDPS.

I don’t know any companies, that can pull their stories together fat enough to comply with this. They have to 1. Determine what happened.

They don't have to report it unless it meets a specific definition so if they don't know what happened, the 72 hours haven't started.

2. Put in controls to stop it from happening again.

This is irrelevant to when they report.

And 3. Figure out how to message it.

This is irrelevant to when they report.

[Controllers must] Hire a Data Protection Officer. 

Many data controllers will not need a DPO.

Can we outsource the role? (Maybe).

You can outsource the DPO role. There's no maybe about it.

-Article 17, the Right to Erasure. Any EU resident can request from any organization a complete list of all the data they have on them.

They can do that now under subject access, and have been able to since the mid-nineties.

On top of that they can demand that the data be erased. The data collector/processor has 30 days to respond.

There are plenty of exemptions to the right to be forgotten in the GDPR itself and derogated to member states.

What about the fines for non-compliance? Think about this: Twenty million euros or four percent of global revenue, whichever is greater. Just to put that in perspective: 4% of Amazon’s revenue(2016) would be $5.44 BILLION, of Google’s $3.6 billion, Facebook $1.1 billion, Netflix, a mere $352 million. You can do the math on your own company.

For one of the maximum possible penalties to happen, it would have to be the worst possible breach with no mitigation. Does the author think these companies are really that bad?

One way to avoid the cost of compliance, of hiring a DPO ($150K)

If he thinks that's a likely average, the author is high.

This means the EU will be cutting itself off from the latest and greatest technology. Want to install the newest secure communications app? Sorry. How about that new business app for managing contacts, or accounting? Not available in the EU. That new VR/AR game that is taking the world by storm? Sorry, only people outside the EU get to experience it.

I predict even tech startups based in the EU will choose to sell only to foreign markets when they launch.

If he believes that techno-capitalism will not find a way to milk Europeans, the author is high.

The GDPR is a big deal. It will have far-reaching effects. None of us know what those effects will be, but the idea that it will lead to the end of Facebook and iTunes in the EU is sillier than the most over-heated claims of the worst Certified GDPR Professional. Calm yourself, Mr Stiennon, many US companies will ignore it altogether and nobody will bat an eyelid.