This post is also available in: Deutsch (German)
Translated with www.DeepL.com/Translator
If one reads the press reports about real or alleged data protection violations, then the discussion always moves in the direction of the “big one”, i.e. Facebook, Google and Co. One could conclude that the GDPR also has these providers in its sights, but that is far from the case. The EU legislator apparently didn’t seem to care whether the data protection law was applied to the baker in the village or to a multinational corporation. That cannot work: There can be no equality between those different types of controllers! Data protection reaches its limits when the entrepreneur is no longer in a position to carry out his activity economically. One can rightly argue that the baker is a bad example, because his data protection activities are rather manageable. I agree with that, but sometimes, unfortunately, you get the impression that the data protection authorities have not understood this. This is not about the baker’s data management, but above all about the relationship between small software providers and multinational giants. It is, of course, easy to drive the small supplier to his car if he has not implemented his software exactly as the authorities would like. 90% of all software vendors want to offer meaningful solutions to their customers. They are not interested in commercial exploitation of personal data. When you say that Google has 500 man-years of GDPR compliance, you shouldn’t be impressed.
You would have to show that in relation to profit. But what makes you think: If the small software vendor has to get into debt so that he can pay his lawyer’s fees to build GDPR compliance. It is no coincidence that the American providers started implementing the GDPR more than two years ago. In fact, the GDPR gives American providers a competitive advantage. The resulting constructs and general terms and conditions are so extensive and in part also incomprehensible because they accurately reflect the basic idea of the GDPR. Large US companies regard data protection as a purely legal, non-existential matter. The fear of possible consequences is predominant, but it is always reduced to monetary considerations (class actions in the USA). This is pure risk management and entrepreneurially justifiable (= reaching into petty cash). Large corporations can quickly adapt and enforce legal changes. The latter is almost no longer possible for the small, innovative provider. Example: It is no wonder that marketing automation on the basis of open source tools is massively increasing. In the end, even the small providers want to have the same long skewers as the big ones.
But they are opening a Pandora’s box, because suddenly we are in the swamp of profiling and automated individual decisions that entail a rat’s tail of follow-up measures. It is more than doubtful whether they will be able to pay for them. The current data protection law means that the spikes are becoming even more unequal. The question arises as to whether a small provider still has a chance at all under the GDPR. Its product will become more expensive and in the medium term this will put it at a competitive disadvantage. The same also applies to information security. Security has its price and local solutions are still more controllable and secure. Especially in the age of new economic wars, the EU should be interested in supporting its IT industry. The GDPR does not help. In fact, the big challenge lies in information security. Only those who can invest sufficient funds here have a longer-term chance of surviving in the market.