> Take the right to be forgotten. First of all, it should be common sense that no one has the right to force legitimate news articles to disappear because they don't like the content, but that is what the EU has ruled should happen.
That is not correct. The right to privacy is not an absolute right. It has to be balanced against other rights, such as the right to free press. In a normal news article case, free press would prevail.
> There is a good chance your little startup that isn't cash flow positive will have to spend $1 million of its VC money on becoming GDPR compliant.
I advise a lot of small customers to implement manual procedures to retrieve or delete data in case a request for it might be done. And to set up a basic privacy and security policy which they should have had already. This doesn't cost much.
> Except that controller must agree to every sub-processor you use.
This can be a generic agreement where the processor notifies the processor.
> Want to switch from AWS to GCP? You can only do it if all your customers agree.
Not true, you do however need to be able to tell customers what companies receive their data. Which can be quite a challenge with sub-sub-subcontractors.
Want to use try out a new metrics or logging service? If it will have any PII you can't do it without customer (controller) permission.
Not true if the processing agreement contains a clause that instructs processor to perform metrics or logging. Customer consent is often not needed unless it has big impact on their privacy. Consent is only one of the legal grounds.
> You will basically need to hire full-time compliance officers to deal with this. The big tech companies already have compliance officers, but GDPR is so massively invasive to businesses that even small companies now need compliance officers.
If this were true I'd be a lot busier. It would be wise if companies assign the responsibility for privacy and security, but it doesn't always need to be a full time job with a level background.
That is not correct. The right to privacy is not an absolute right. It has to be balanced against other rights, such as the right to free press. In a normal news article case, free press would prevail.
> There is a good chance your little startup that isn't cash flow positive will have to spend $1 million of its VC money on becoming GDPR compliant.
I advise a lot of small customers to implement manual procedures to retrieve or delete data in case a request for it might be done. And to set up a basic privacy and security policy which they should have had already. This doesn't cost much.
> Except that controller must agree to every sub-processor you use.
This can be a generic agreement where the processor notifies the processor.
> Want to switch from AWS to GCP? You can only do it if all your customers agree.
Not true, you do however need to be able to tell customers what companies receive their data. Which can be quite a challenge with sub-sub-subcontractors.
Want to use try out a new metrics or logging service? If it will have any PII you can't do it without customer (controller) permission.
Not true if the processing agreement contains a clause that instructs processor to perform metrics or logging. Customer consent is often not needed unless it has big impact on their privacy. Consent is only one of the legal grounds.
> You will basically need to hire full-time compliance officers to deal with this. The big tech companies already have compliance officers, but GDPR is so massively invasive to businesses that even small companies now need compliance officers.
If this were true I'd be a lot busier. It would be wise if companies assign the responsibility for privacy and security, but it doesn't always need to be a full time job with a level background.