The UK's ICO also has a good structured summary: https://ico.org.uk/for-organisations/guide-to-the-general-da...
In general I agree with the sentiments in this article. I've probably spent a total of three to four days reading around the GDPR and I don't really see what's special about this law other than it's imposing decent standards on what was in effect a wildly unregulated industry in people's personal data. If you have a broad distrust of any government activity then I suppose any new laws with "fines up to €X" might feel like "I run a small site on a Digital Ocean droplet and I'm at risk of a €2m fine out of the blue." But that doesn't make it true.
In rules-based regulation, all the rules are spelled out in advance, and the regulator is basically an automaton once the rules are set. In principles-based regulation, the rules are extensive rather than complete and you expect the regulator to have some lattitude (and, if the system is well designed, a mechanism of recourse if they do something stupid).
An advocate of rules-based regulation would say this can make regulators unpredictable and capricious. An advocate of principles-based regulation would say it is an important safeguard against "rules-lawyering" and regulatory capture (especially the kind that ties new entrants up in check-box compliance that doesn't actually affect your business because all the rules have been worked around).
A classic example would be the time PayPal tried to tell the UK regulators they shouldn't be regulated like a financial institution (which is a claim they successfully made in the US). They pointed to chapter and verse of the relevant law, and said that according to subparagraph 2.b.c(iii)... and the relevant regulator essentially told them "shut up, you keep consumers' money for them and will be treated accordingly". As a result, the worst "PayPal took all my money and I can't get it back" stories generally do not come from the UK. (And when they do, they are accompanied by referrals to the Financial Conduct Authority, who have teeth.)
You can approve of this way of working or not, but the GDPR is a principles-based regulation, and you'll have to engage with it on those terms.
Or you can just disengage with Europe all together, which is an obvious choice for many small to medium sized companies, given the risks and costs involved.
Or, you're fine with a competitor who isn't afraid of entirely reasonable international laws coming in and eating your lunch.
We also considered all the additional liability we’d be taking on, and with that alone it was barely worth it based on the current EU customer base we have.
We’d also be very happy if one of our competitors started investing in the EU market. It’s worth about 10 times less than the US market in our industry, so having them chasing peanuts in Europe (and investing in compliance with European - absolutely not international - regulations) would be a truely fantastic outcome for us.
For us, it didn’t make sense to invest the amount of money we’d have to to establish compliance with the GDPR, or to invest in maintaining that compliance, and the liability that GDPR would introduce for us most certainly didn’t make sense.
Europe is worth almost nothing to us, we don’t market ourselves there because it’s a waste of money. The EU customers we have all sought us out, not the other way around. For us, the cost and liability is simply not worth it. I think you’ll start to see more businesses make this decision, based on facts and numbers. You can’t just cry that they’re all being hysterical or want to abuse they’re customers data and privacy. When you introduce expensive new regulations, that have very strong punitive elements, this is exactly what you’d expect to happen. Small to medium sized businesses will wear the most of the cost (while posing the least of the risk). Luckily for us, EU is worth close to nothing for us.
I expect that, at least in some obviously global markets like most e-commerce, GDPR compliance (as opposed to throwing the towel like you) will be treated like a certification of being a relatively non-evil and non-amateur business, with a significant impact outside the EU.
My customers are all happy with my privacy policy, and not a single one outside of the EU has expressed any interest at all in the GDPR. We are actually compliant with a majority of the regulation, however there are some areas where we would have to re-architect to gain full compliance.
This is not in anyway a signal that we’re “not good enough” to handle our customers data. It is mostly a sign of a poorly written piece of regulation, that has more undefined edge cases than it has defined use cases.
We’re not going to be the only company that comes to this conclusion, so you can go around slandering anybody you like, but that’s not going to change the facts behind what is a rather simple business decision for a lot of people.
You’re incredibly naive if you think complying with regulations like this is going to be cheap and easy, and your even more naive if you think that compliance is going to mean anything other than a rubber stamp. I’ve seen PCI, Fedramp, ISO27k, SOC2... organisation that have been certified as compliant, but were in reality less than 10% compliant. The compliance industry is a joke worldwide, and everybody knows it.
As far as the public understands that complying with a new law is expensive, and why GDPR compliance in particular is expensive, it is obviously more expensive for "bad" companies: don't expect the same compassion and tolerance with which other types of customer disappointments (e.g. raising prices) are received. Your competitors who do not retreat from the EU are obviously caring more for customer privacy, and/or better organized, and/or less reliant on excessive data collection. They are not going to be considered stupid because they spend more than they should on doing the right thing.
You admit bad organization ("there are some areas where we would have to re-architect to gain full compliance"): not trying to comply with the GDPR is clearly not a "rather simple business decision", it's a decision to accept failure instead of losing even more money, and you aren't going to look good even if it's the rational choice in your situation.