As John Mitchell says there is a lot of misinformation out there. The guidance from the ICO in the UK is pretty straight forward. The act itself isn't unreadable legalese. It puts informed, voluntary consent and privacy at the heart of everything.
There are a couple of situations where you are likely to fall foul of GDPR.
- A customer complains about you to their countries supervisory authority (in the UK that is the ICO) and you don't respond in a timely manner
- You are unable to demonstrate to the relevant supervisory authority that you have the processes in place to be able to comply with the regulation
This is not a s%^tstorm. This is a piece of regulation that has taken a long time to formulate, gain agreement from 27 member countries and has had a long running in period.
If you are doing things that cause your customers to complain to the supervisory authority then perhaps you need to look at your processes and the way you handle your customers. Surely that makes good business sense.
Should the supervisory authority choose to audit you then you need to show that you can respond to a customer requesting their data, corrections, erasures etc. You also need to demonstrate that you are taking sufficient steps to ensure that you take reasonable care in protecting your customer's data.
Brent Ozar's case is a bit of an oddity in that clients send him data sometimes unsolicited. In such a case Brent would be a Data Processor and the sender would be the Data Controller. The Data Controller should not be sending Brent personally identifiable without Brent being under contract, having representation in the EU and being sure that Brent has the facilities to ensure that the data is kept safe etc. Incidentally, if PII data is being sent to Brent in the US then existing laws are already being broken.
It is sad that Brent has decided not to continue to service the EU & UK but entirely understandable. I commend him for his politeness and professionalism in responding to responses to his article where those responses fall a long way short of both politeness and professionalism.
Except that as you say even if you're amazing and no one has a bad word to say about you then if you are audited you could be tripped over by any one of a number of things.
You may be taking steps to protect things, but this new legislation potentially puts stricter rules in place, if you have a long running software product that costs you a lot of money if you want to escape fines.
A lot of thought may of gone into it, but have they actually tried to apply it to a real piece of software to see what that means. All these abstract terms they use require interpretation and could easily be interpreted in multiple ways when it comes to different components of a piece of software.
Isn't it also the case that someone could request that you remove all data about them, irrespective of whether they like what you're doing or not? And thus if you're found to not have complied to some governing bodies interpretation of this then again - fined. Plus there are all sorts of grey areas. For example:
- Customer gives you data, gives consent
- You use it in ways agreed, that could involve a third party.
- Customer asks you to remove data you store on them.
- You removal all data
- Third party contacts them - customer complains, blames you because X(you)-is-the-only-organisation-I-shared-that-with. You then get slapped with a fine because you can't prove that it wasn't you.
Regarding the regulation having taken a long time to formulate and 27 member countries agreeing - well what is the point here? this is governments we're talking about of course it took a long time. But how many of those countries agreed after consulting with software development experts; not many, if any, I'd wager - thus they agreed to something without much thought for what the reality of implementing that would mean, it just looks good on paper.