There's a large distance between not knowing where your data ends up/using it badly and being actually GDPR-compliant, which in many businesses requires a massive administrative burden.
If it requires a massive administrative burden, that company has collected or is in the business of collecting a lot of personal data. In which case, it's good that there's a burden, since they are holding a lot of sensitive data and should be held accountable for what they do with it, and how they allow it to be used.
1. One can collect "a lot" of personal data without any of it being sensitive.
2. The amount of personal data and the administrative burden are sometimes correlated, but often aren't. Collecting name and email from a few people in eighteen different ways creates a much, much larger administrative load than collecting name, email, and ten other items of information in a single way.
3. One can use all that personal data well and not violate the rights of data subjects without being remotely GDPR-compliant.
4. Most of the administrative burden does little to nothing for how well data subjects' data is used.
One can collect "a lot" of personal data without any of it being sensitive.
I don't think this is the case at all. Essentially all personal data is sensitive.
The amount of personal data and the administrative burden are sometimes correlated, but often aren't. Collecting name and email from a few people in eighteen different ways creates a much, much larger administrative load than collecting name, email, and ten other items of information in a single way.
That's true, but also seems entirely reasonable. If you are collecting data in eighteen different ways, that means there are eighteen times as many ways you can fail to adequately audit or secure it.
One can use all that personal data well and not violate the rights of data subjects without being remotely GDPR-compliant.
Probably technically true, but in practice? Regulators are more concerned about compliance than anything else. Are there likely scenarios in which data is collected and processed in a responsible manner, but technical GDPR compliance is a huge burden?
Most of the administrative burden does little to nothing for how well data subjects' data is used.
Why would this be the case? Most of the administrative requirements appear to be entirely justified methods to ensure that you have understood and evaluated the methods of compliance.
> I don't think this is the case at all. Essentially all personal data is sensitive.
Noooooo, not according to this or any other privacy law. Under the GDPR, it's "data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation."
> Are there likely scenarios in which data is collected and processed in a responsible manner, but technical GDPR compliance is a huge burden?
Yes. My company, and most companies of other privacy professionals I've talked to.
> Why would this be the case? Most of the administrative requirements appear to be entirely justified methods to ensure that you have understood and evaluated the methods of compliance.
If you think that any cost is justified to ensure that something that ought to be done is actually being done, sure. By any analysis of costs and benefits, I think you might come to a different conclusion, but that would require some kind of real analysis of costs and benefits. I haven't seen that from anyone who is both (a) a supporter of the law and (b) has actually spent time implementing it in a real, involved business that deals with personal data (and I mean actually implementing it, and not the absurdly simple version many HN commenters seem to be doing that doesn't include massive amounts of documentation).
Do most small companies have a CIPP/E or privacy lawyer (or someone who has equivalent training/experience) on staff? We know statistically that not only don't they, but they can't, because there aren't enough of them out there. And if you don't, you'd better have an insanely simple business, because otherwise you're not going to come close to compliance.
Please give us more details of what you think the administrative burden is, because I think you have overestimated it.
Being able to provide a user with the data you have on them, and being able to delete it, should be basic requirements of any software company. And now they are, which is great.
I'm an attorney leading (from a legal standpoint) a SaaS provider's GDPR compliance effort. There most definitely is an administrative burden (setting aside whether you think that burden is merited). The SaaS provider is acting as a processor for its business customers (so fewer obligations than if it were controller) and there are many admin requirements. The GDPR is an accountability framework and one must be prepared to demonstrate not just compliance but often how one got to the compliance decisions they landed on. One must maintain processing records, implement DPA's and a variety of other things. The GDPR is not a privacy law, it's a data protection and personal rights law, which is much broader.
