Comment by mmarq
5 years ago
Having worked on and lead 3 GDPR compliance projects, I can say that the cost of GDPR compliance is close to zero if your business is not tracking users or selling their data without consent. This assuming you are following best practises for storing users’ data (ie encryption, limited access to authorised personnel, etc…). If you store data without encryption, allow randos to access users’ personal data, you shouldn’t even be in business.
Also the EU is quite tolerant with breaches, as in if you are found in breach they will give plenty of time to address it (which often means removing a tracking cookie you forgot about or add it to your cookie policy).
At this point GDPR is way too tolerant, given that in 99% of cases you get away with a banner that makes it impossible to refuse tracking.
So not being GDPR compliant, which at this point means a bit more than being decent with users, says more about the business model of these companies than about anything else.
Don't know why you got downvoted.
As a former GDPR compliance officer for a company managing about 40 customer websites, I can confirm that GDPR compliance is not burdensome or costly, unless you are intent on violating the GDPR. You appoint someone on your tech staff as compliance officer, and as an organisation you make sure that complaints are handled.
Handling complaints is something any business should be able to do, GDPR or not; a business that can't handle complaints isn't a viable business.
For small organizations, even if they are not tracking or doing anything with data that would need to be changed to comply with GDPR, the couple hundred or so Euros a year to comply with Article 27 [1] might be enough for them to block EU access.
[1] https://gdpr-info.eu/art-27-gdpr/
If you are not doing anything with the data, you should just not collect it. A newspaper doesn’t need to collect my personal information.
Besides if you don’t have a regular client base in the EEA or you process and collect data only occasionally and on a small scale, you don’t have to appoint a GDPR representative.
In a few words: don’t collect data without permission, don't spy on your users, don’t profile them, don’t process or sell their data without permission, delete all data about them if they ask you to do so, and you’ll be OK.