> For example, additional restrictions are in place for “large scale” processing of personal information, yet “large scale” is never defined. Is that hundreds, thousands or millions of records?
Hundreds or thousands not, millions definitely yes, somewhere in the middle you get to draw a line which to me is an indication that the closer you get to those millions the more you'll have to work and then those additional restrictions kick in.
There are companies that store billions of profiles (Google, Facebook), and for those the 'large scale' moniker is a no-brainer. If you're a small company that stores a few hundred to a few tens of thousands of records because you are doing direct business with those people then that would most likely still qualify as small. But from 100K and up I'd make sure the house was in order, not just because of the GDPR but because you are becoming a nice, fat & juicy target for miscreants as well.
That is the scope I was ballparking mentally (and which fits the scope of processing done in my app), but I just wish they had been explicit about it in the regulation so I could put to rest any apprehension around it.
The room built in is to ensure that there is some flexibility regarding for instance financial and health information where those restrictions would probably kick in sooner versus some e-commerce company such as a web store where the need to keep the data around on live systems is much less urgent.
That way one law will allow banks, insurance companies, hospitals and a mid-sized e-commerce company all to figure out for themselves what their comfort zone is, add a little room for safety and you're most likely going to be good, and even if not you can point at the law and say 'it wasn't explicit', so unless you are purposefully mis-interpreting a few million records as 'small scale' you will likely get away with that. Note the 'likely', this isn't a certainty but in my experience to date everybody that is fear mongering about the GDPR is coming up with the wildest of scenarios rather than to just look at the law as if it was intended well (which I really believe it is).
> Note the 'likely', this isn't a certainty but in my experience to date everybody that is fear mongering about the GDPR is coming up with the wildest of scenarios rather than to just look at the law as if it was intended well (which I really believe it is).
Bringing up the "parade of horribles" is a standard way of reacting to regulations, and it's normally countered by the regulators just pointing out that the horribles rely on really tortured interpretations that aren't intended. With the GDPR, that hasn't been the response (which has instead been a double-down on "it's just common sense" without confirming or refuting what will happen)--for me, that's some cause for concern.
I've rarely seen so much positive effect from a law before the date at which it would be enforced. My inbox is regularly visited by companies that suddenly feel that maybe they should obtain my content to spam me further in spite of me trying - sometimes for years - to get off their lists.
We'll see what happens after may 25th but for now I'm really hopeful that we will finally see some counterbalance to all this ridiculous profile building for marketing purposes.
Hundreds or thousands not, millions definitely yes, somewhere in the middle you get to draw a line which to me is an indication that the closer you get to those millions the more you'll have to work and then those additional restrictions kick in.
There are companies that store billions of profiles (Google, Facebook), and for those the 'large scale' moniker is a no-brainer. If you're a small company that stores a few hundred to a few tens of thousands of records because you are doing direct business with those people then that would most likely still qualify as small. But from 100K and up I'd make sure the house was in order, not just because of the GDPR but because you are becoming a nice, fat & juicy target for miscreants as well.