Backups of various kinds are in a similar position.
The reason GDPR is a bad law is that its real effect is so ambiguous.
Read literally, it imposes significant burdens on data controllers, particularly because of things like the right to erasure. Those burdens may be disproportionate particularly for smaller organisations that only handle a limited amount of data in the first place.
The alternative, which I've noticed GDPR's defenders tend to favour as understanding has grown, is something to the effect that regulators won't actually enforce the rules in a draconian fashion and will only go after serious infringement in practice. But that's a dangerous position to adopt in legal matters, because ultimately it means if you go too far in complying when others don't then you are at a disadvantage, but if you don't go far enough then you are subject to being punished at any time, and there is no objective standard for how far we're talking about either way.
> The alternative, which I've noticed GDPR's defenders tend to favour as understanding has grown, is something to the effect that regulators won't actually enforce the rules in a draconian fashion and will only go after serious infringement in practice. But that's a dangerous position to adopt in legal matters, because ultimately it means if you go too far in complying when others don't then you are at a disadvantage, but if you don't go far enough then you are subject to being punished at any time, and there is no objective standard for how far we're talking about either way.
Exactly this. As a consumer, I really like most of the protections that GDPR provides and I want them to be widely followed and enforced.
As a freelancer who works with mostly small clients, I really wish that there was clear, official communication on what sorts of common practices need to change (or not) and examples of solutions that small businesses can implement to be compliant. Just telling them to not worry because they're too small for enforcement actions isn't a good solution since it limits privacy protection and compliance to large companies.
> As a freelancer who works with mostly small clients, I really wish that there was clear, official communication on what sorts of common practices need to change (or not) and examples of solutions that small businesses can implement to be compliant.
As a freelancer/consultant, I wish there was official guidance on when we are a data processor for our clients, and when we're not. Which employment situations make a difference (if any do).
It's not just our industry; anyone who's self-employed is in the same position if they see any personal data from their clients' businesses.
The reason GDPR is a bad law is that its real effect is so ambiguous.
Read literally, it imposes significant burdens on data controllers, particularly because of things like the right to erasure. Those burdens may be disproportionate particularly for smaller organisations that only handle a limited amount of data in the first place.
The alternative, which I've noticed GDPR's defenders tend to favour as understanding has grown, is something to the effect that regulators won't actually enforce the rules in a draconian fashion and will only go after serious infringement in practice. But that's a dangerous position to adopt in legal matters, because ultimately it means if you go too far in complying when others don't then you are at a disadvantage, but if you don't go far enough then you are subject to being punished at any time, and there is no objective standard for how far we're talking about either way.