zlacker

I really don't know why people think that the authorities will (or even could) automatically punish each minor infraction with 4 % of global revenue or 20 million €. GPDR article 87 specifies in great detail when fines should be imposed and how their value should be calculated, and the Article 29 WP also has a guideline on that:

https://ec.europa.eu/newsroom/just/document.cfm?doc_id=47889

It is therefore simply not possible for a data protection authority to impose arbitrary or ridiculously high fines as they would never hold up in court.

>>ThePhy+(OP)
I'm starting to wonder if there's an active disinformation campaign about this somewhere. Are people getting their fears from Facebook again?

Edit: If there is such a thing I bet it's Cambridge Analytica/"SCL group" involved, since they made their money from large scale nonconsensual abuse of political personal data, and have an arm dedicated to swinging elections with misleading Facebook adverts.

>>pjc50+c
There is probably a large number of consultants who make money out of getting "GDPR ready" etc. and in whose interest it is to maximize the fear.

>>ThePhy+(OP)
Because those people tend to come from a country which doesn't have laws open to interpretation and thus mark people who drunkenly pee on a fence with the same sex offender tag than child molesters. If you're country functions in a way where laws can't be interpreted according to context it's hard to think of a different system.

>>izacus+88
Which is an indictment of the laws, but not necessarily the system.

>>pjc50+c
I mean part of the issue is that I literally cannot answer the question "are we GDPR compliant?". The amount of time we've spent figuring out whether we need to sanitize apache logs has been ridiculous.

If you search for GDPR IP address you'll get 100 different opinions on what you need to do. That in my opinion is what makes this law ridiculous. How can companies be expected to comply with something this unclear? I'm sure I would have had your opinion before I was the person who is ultimately responsible if my answer to GDPR compliance is wrong.

Everyone having issues with this is somewhere in the line of fire for a wrong answer to any of these questions. Our concern over the fuzziness of this law is very valid, I don't like uncertainty personally.

>>losved+Dc
But they are different systems. For example contracts in the EU tend to be way shorter, as long as you get the gist. Contracts in the US are painfully long, listing things out explicitly, etc.

This exactly what rules-based regulation (US) and principles-based (EU) regulation means, and why the GDPR is written the way it is.

>>thomas+zv
When all else fails, just make something up. In the unlikely event anyone asks, just tell them you have no logs with their IP address. What are they going to do, check themselves?

>>ThePhy+(OP)
Because they don't know anything about EU authorities and have no reason to trust that they have the interests of US small businesses at heart? To them, this could potentially be a money grab with no pain to their constituents. It's already playing out to some extent with their new tech taxes.

>>thomas+zv
Regulators want to see that you thought about the issue and formulated a plan.

If they ultimately disagree with your judgments, they will tell you, and you'll have plenty of time to get a common understanding.

They will certainly not fine you just because you made a honest mistake.

They will maybe fine you if all you have to show is "I didn't want to find a plausible way myself, nobody spoon-fed me, it's not my fault".