Because an inversion of responsibility happens at some turning point of organization size.
A small company that wants to survive has to spend a lot of effort and engineering hours becoming compliant with the legislation. If they fail to do so, the following legal battle and potential fines have a high probability of bankrupting them. They must be proactive to avoid this.
Large corporations instead get to be reactive. They comply where it’s convenient and otherwise operate on an “ask forgiveness later” mindset. Legal battles and billion dollar fines barely register and instead of becoming destructive events, just become minor taxes on doing business.
As much as I appreciate the spirit of the legislation, the implementation has actually empowered large companies and is squeezing out small business.
In the case of being a small business, it’s not even about being shady. Imagine you were building a simple step tracking database for a pedometer app. All it does is store a user id and some daily steps. You have zero intent to market or share it in any way, no ad personalization, no third parties, etc. Before GDPR you’d just spin this up and be fine. Now you need to deal with data consent policies, data deletion tools, potential exfiltration policies if your DB isn’t in the EU, etc. Enjoy the engineering and legal costs there.
Mega corp can just ignore most of this and pay later. It’s a massive difference.
there's no need to transmit the collected data away from the device. boom! nobody is storing data. it's all local to the device. that's an easy decision to make. you don't even need to collect an ID of any type. this app on this device counted steps. nobody outside of the app on that device needs to know.
transmitting that information to the company servers is a decision that can easily be not made to do, and when it is, you're already at risk. so, why do it?
A small company that wants to survive has to spend a lot of effort and engineering hours becoming compliant with the legislation. If they fail to do so, the following legal battle and potential fines have a high probability of bankrupting them. They must be proactive to avoid this.
Large corporations instead get to be reactive. They comply where it’s convenient and otherwise operate on an “ask forgiveness later” mindset. Legal battles and billion dollar fines barely register and instead of becoming destructive events, just become minor taxes on doing business.
As much as I appreciate the spirit of the legislation, the implementation has actually empowered large companies and is squeezing out small business.