Most businesses, web developers and e-commerce sites from small businesses and even the larger ones are being told they are dishonest by the governments of the ‘free’ world and its costing a small fortune, some panic and of course, a lot of ‘disinformation’.
Basically, GDPR says that at every touch point of data you hold, you must give the user an opportunity to opt in, opt out and disallow any cookies that might be personally identifiable as a user that has come onto your site, have a flowchart of that data, appoint a data controller and identify a data processor that can be inspected by a government representative and if not, you can get fined up to 20 million euros or 4% of your turnover.
Why is the fine for non compliance so high we ask ourselves? Well, if was not obvious, its aimed at the big boys like Amazon, Facebook et al as frankly, they are the only ones that can afford it and the EU is desperate for cash. The problem with these ‘catch all’ solutions is that the little guys and girls are caught up in an expensive merry go round that is not clear, not consistent and in no way understandable unless you are a specialist lawyer on the subject – and as its a new law, I defy anyone to be an expert in GDPR at this current moment in time.
Lets have a look at the vaguest of the vaguest shall we?
Q:What is considered as large scale data processing
A: via the EU site for GDPR
2.1.3 ‘LARGE SCALE’
Article 37(1)(b) and (c) requires that the processing of personal data be carried out on a large scale in
order for the designation of a DPO to be triggered. The GDPR does not define what constitutes largescale
processing, though recital 91 provides some guidance.14
Indeed, it is not possible to give a precise number either with regard to the amount of data processed or
the number of individuals concerned, which would be applicable in all situations. This does not
exclude the possibility, however, that over time, a standard practice may develop for identifying in
more specific and/or quantitative terms what constitutes ‘large scale’ in respect of certain types of
common processing activities. The WP29 also plans to contribute to this development, by way of
sharing and publicising examples of the relevant thresholds for the designation of a DPO.
In any event, the WP29 recommends that the following factors, in particular, be considered when
14 According to the recital, ‘large-scale processing operations which aim to process a considerable amount of
personal data at regional, national or supranational level and which could affect a large number of data
subjects and which are likely to result in a high risk’ would be included, in particular. On the other hand, the
recital specifically provides that ‘the processing of personal data should not be considered to be on a large scale
if the processing concerns personal data from patients or clients by an individual physician, other health care
professional or lawyer’. It is important to consider that while the recital provides examples at the extremes of the
scale (processing by an individual physician versus processing of data of a whole country or across Europe);
there is a large grey zone in between these extremes. In addition, it should be borne in mind that this recital
refers to data protection impact assessments. This implies that some elements might be specific to that context
and do not necessarily apply to the designation of DPOs in the exact same way.
See what I mean? And this is just one of thousands of lines of text we have to get through just to see if ANY of it applies to us.
It is clear to this writer that the EU and its cohorts have not really thought this through – as an individual business, I must provide contracts to my clients that are clear, concise and unambiguous before I even start charging any money, one would have thought at the very least given that I, along with millions of other businesses can face a fine that could bankrupt me, that the law I have to adhere to would be clear in the extreme.
The GDPR regulations have painted all of us with the same brush – we are not to be trusted with people’s data.
Big business and big government institutions seem to forget the little guy, the mom and pop businesses, the people that are actually trying to earn a living through the internet and genuinely small bricks and mortar business that like to keep in touch with their clients (even down to newsagents who deliver your favorite daily) and make them wade through all sorts of legislative BS so that they keep off welfare, can give their kids a few decent holidays and a decent meal when they get home from school. – Any intelligent person can see that GDPR is aimed at the very large corporates that have allegedly abused personal data. Unfortunately with laws like this, the underdogs get caught up too – no compensation, no help in financial terms for us to get good legal advice – even if you can find a lawyer to understand the grey areas and interpret them correctly so you are protected.
There is light at the end of the tunnel though in the shape of a facebook group set up specifically for this very reason, its run by a lawyer, the advice seems sound and in my recommendation, she seems to know what she is on about. I urge you to join the group if you can and get the very best advice. She also has an offer to sign up to her GDPR pack – I get a commission if you buy through this link but you don’t have to even though you don’t pay any extra – so get on it and make sure you are as up to date with GDPR as you need to be.
No matter who you are, whether you have a website or not and carry data for your customers, you have to comply, even in the simplest of ways – get the info today and make sure you are up to date.