This means that I can bankrupt small, careless companies that hold a few hundred users data?
The ICO (UK) has been fairly clear that the intention is not to fine businesses to the point where they cannot operate. It also seems fairly clear to me that they do not expect smaller organisations to jump through the same hoops as large ones such as Microsoft and Facebook. If you are a small organisation and you can show that you have and will continue to take meaningful steps towards protecting the data you hold and providing your users with transparency as to your processing, then the ICO and other regulatory authorities are not going to hit you with a 20M Euro fine [1].
I certainly feel as though the law is being perhaps misrepresented as some sort of anti-business regulatory overreach. I highly doubt the European Union wants to a) Drive businesses away from Europe and all that yummy tax money that they bring with them, or b) Piss off European consumers by restricting their access to all the fun things being provided by non-EU companies. It's not in the EUs interest to do either of those things, but there has to be a balance, right? The fact that organisations can collect huge amounts of personal data and when/if something happens just shrug it off (exaggeration, I'll admit). The current legislation doesn't give supervisory authorities (such as the ICO) enough of a bite to encourage compliance from larger companies. £500k (current fine limit) is nothing to an organisation that turns over billions a year globally. I'm sure in many of these circumstances the cost of compliance would far outweigh any fines handed out.
The debate here is very interesting though, as there are plenty of people viewing this from different angles. I wonder if some residents of non-EU countries here feel as though the EU (to them an unelected body) is effectively overruling their domestic legislation, and that this is not right. I can certainly understand the argument that whilst (in my opinion) this law could be overwhelmingly good for consumers, especially given the current climate, it could be viewed as setting a dangerous precedent for extraterritorial reach.
[1] https://iconewsblog.org.uk/2017/08/09/gdpr-sorting-the-fact-...
That's a problem, imho. We cannot rely on good intentions when it comes to the interpretation and enforcement of the law. Anyone who's gotten caught up in the quagmire of legal bureaucracy understands that.
The law is the law, and will outlast the good intentions of the authors or people currently in charge. If the law, as written, was not intended to be as such, then it should be amended.
Within small companies, it's now easier to push for proper data security, for not being careless. "Boss, I know it'll slow down our release, but if we don't do it, we could go bankrupt!"
And as for ANY regulation, progressive enforcement should be the norm. We shouldn't expect the same level of data security from John Buckley's local tool supply that we expect out of Amazon.
Ha! Try telling that to the Americans ;)
I feel like that's going to be more an incentive to ignore EU resident if the fees are that high. Even with a huge security budget, mistakes are made, is it worth it to risk that much cash? Check any gaming console, they have a pretty big incentive to keep the security pretty high, yet failed to do it so often.
That said, the existing legal precedents won't prevent the imposition of much larger fines when warranted after May 25, given the new law's higher maximums.
