Slashdot Mirror
New Service Blocks EU Users So Companies Can Save Thousands on GDPR Compliance (bleepingcomputer.com)
Catalin Cimpanu, reporting for BleepingComputer: A new service called GDPR Shield made the rounds last week and for all the wrong reasons. The service, advertised as a piece of JavaScript that webmasters embed on their sites, blocks EU-based users from accessing a website, just so the parent company won't have to deal with GDPR compliance. GDPR, or General Data Protection Regulation, is a new user and data privacy regulation slated to come into effect in the EU three weeks from now, on May 25, 2018.
The new regulation brings a wealth of protections to user privacy but is a nightmare for companies doing business in Europe. The reasons are plenty, but the humongous fines for failing to meet GDPR standards are at the top of the list for most companies ($24 million or 4% of a company's annual worldwide revenue -- whichever is higher). There's also the 72-hour deadline to reveal data breaches and the necessity of hiring a so-called "Data Protection Officer." Plus, GDPR also mandates that companies must inform users on what data they collected about them, allow them to review the data, and even let users delete the data from the company's servers if they so wish.
The new regulation brings a wealth of protections to user privacy but is a nightmare for companies doing business in Europe. The reasons are plenty, but the humongous fines for failing to meet GDPR standards are at the top of the list for most companies ($24 million or 4% of a company's annual worldwide revenue -- whichever is higher). There's also the 72-hour deadline to reveal data breaches and the necessity of hiring a so-called "Data Protection Officer." Plus, GDPR also mandates that companies must inform users on what data they collected about them, allow them to review the data, and even let users delete the data from the company's servers if they so wish.
We didn't find much trouble in compliance. Sure we had to write a few policies and work out a procedure for exporting and deleting data from our systems. We did not spend even 25k in work to pull this off. It was fairly trivial for companies that don't make a product out of consumers.
Disclaimer: I've worked myself into GDPR details to shape my employer up for it.
GP is a little off on some details.
You have to *name* a Data Protectoin Officer. This can be anybody empowered to check compliance. Usually this is done by some administrative or IT specialist. Germany has had this for decades. No need for an extra hire.
You don't have to spend thousands or millions. You just need to have a proper setup and due diligence in place. The new thing is that you need to document procedures in a standardized manner. The big difference between the law that come in on 25.4.2018 is that someone could only sue you if he was damaged and only if he could prove a data breach of critical personal data. The fines up to this point also were laughable.
Now anyone involved, including customers, can ask how data is handled and the authorities and others have the right to review documentation of your SOPs for data protection. Also you're in for big trouble with massive fines (up to 4% of global anual revenue) if you're careless with data and aren't willing to comply with the GDPR.
In short: If you have your IT in order GDPR compliance isn't that much of a big deal.
Documentation is, but compliance is not.
If however your IT is shit, then you're in for trouble if they come for you. Big time. ... Can't really complain about that actually.
Since they *will* eventually come for you *and* most companies (online *and* brick and mortar) IT setups are somewhere between disorganized shite and abysmal, companies would rather opt out than go through the hassle of complying. Which means only companies with proper procedures and due diligence in their IT will remain doing business in the EU.
Thus endeth some real-world details on GDPR.
You're welcome.
We suffer more in our imagination than in reality. - Seneca
A one person shop does not need a DPO:
(Source: GDPR FAQ)
Unless that one person shop does engage in large scale processing of sensitive personal data, of course, but then they either have enough revenue to afford a DPO, or they are a shady 'ethicul biznizman' (aka spammer).
"I know I will be modded down for this": where's the option '-1, Asking for it'?
Tell me, what of my personal data beyond billing and shipping data for my most recent order would a Mom and Pop shop need?
IP address, for one.
The GDPR is very broad in what it considers "personal information", and it's not necessarily wrong. There are a lot of ways to identify someone*, and unfortunately some of them are built in to our basic technologies, like the Internet. Under the GDPR, though, all of those potentially-useful bits of information must be protected and scrubbed.
That means your Apache logs can't have any actual log data. It means your shipping labels are handled like highly-sensitive personal information. It means your vendors have to be able to prove GDPR compliance, or you aren't compliant yourself - and you're responsible for checking up on that.
The regulation itself isn't onerous... it's the lack of limits and high penalties that become a double-edged sword. In my opinion, a staggered implementation would have been much more reasonable (such as allowing non-compliant vendors for a year), and tighter definitions with exemptions (like allowing 30 days of incidental logs) would drastically reduce the cost of implementing the remaining regulations.
* In the US, the combination of ZIP code, state, and age can identify someone, and that's all old tech. Now we have IP addresses, connection latency, user-agent strings...
You do not have a moral or legal right to do absolutely anything you want.
People you do business with don't have to be sitting in the EU when they visit your site for you to be liable.
... as long as they are EU citizens.
A EU citizen sitting in Starbucks in the US is equally as protected as if they were sitting in France.
Also, if you stored the shipping label to let's say...send them a package to their vacation home in Iowa, you're still liable
If all you do is Geo-fence, you're already not going to make it.
That canard again. IP address logging for the purposes of site operation has never fallen under EU privacy guidelines, unless that data is kept for longer than its intended purpose and used for data mining.
Which is exactly the point of the GDPR: it says 'Don't do that and you'll be fine'. If you look at the FAQ you see that the GDPR does not cover this use of data.
"I know I will be modded down for this": where's the option '-1, Asking for it'?
Regulations have consequences.
Yes, and the GDPR really does have significant uncertainty and cause disproportionate overheads for a lot of smaller businesses, charities, etc.
This is the kind of thing that makes it difficult for you to pretend otherwise.
Well, yes and no. The article here isn't great: it perpetuates a lot of myths and exaggerations. The specific blocking service mentioned has been heavily criticised in other forums already for trying to cash in on the fear while providing questionable protection.
Anyone with two firing brain cells can anticipate that GPDR trolls will appear on day 1 to sue whomever has deep enough pockets to be worth suing.
Unless they'd actually used those brain cells to read, in which case they'd know that the GDPR is going to be enforced primarily through government regulators, not personal legal actions. There are plenty of problems with it, but attracting ambulance-chasing lawyers isn't likely to be one of them.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
RTFFAQ, this is not covered under "large scale systematic monitoring" or "large scale processing of sensitive personal data"
"I know I will be modded down for this": where's the option '-1, Asking for it'?