How (not) to do GDPR

I prepared a few simple recommendations for you.

1. Do not rush to break your software and business, unless you are deep into advertisement or social profiling or your IT processes imply dumping every piece of data you have on an unprotected file server. If you are doing personal data processing for a legitimate business purpose in a reasonable manner, it is safe to assume you can stand your ground under any GDPR related scrutiny.

I know a retail company that ceased CCTV recording in all their warehouses. The hell broke loose, even before the theft. The company turned completely unable to find misplaced items. Why? Because there was a guy «responsible» for GDPR compliance who had authority to handle it that way. When anyone opposed him, his answer was simple: fines are huge, risks are high and is your advice to do otherwise backed with any willingness to cover possible non-compliance issues from your own pocket? Ah, you do not have enough money anyway, so get lost.

What this guy was essentially doing is covering his own ass on INSANELY HUGE company's expense. Don't do it. GDPR is not about ruining your business (unless your business is very questionable already).

2. Do not buy shit. GDPR fearmongering is a goldmine for people selling «compliance solutions». But the truth is, there is no «compliance solution» you can buy. Under this hot GDPR sauce you would only buy things you do neither need nor want to buy. Less creative «solution providers» will sell to you some firewall-antivirus-encryption stuff for twice the regular price. More creative ones will sell to you data intelligence and audit tools of the most expensive variety, that won't help you at all. GDPR is not about buying anything (unless you neglected your basics before).

3. Do not pay for any certification. Currently there is no GDPR certification, which literally means any certification you get is totally irrelevant for GDPR. The idea «there must be some checklists and papers, so it is worth to get your ISO27K or whatever until more specific requirements would be in place, because ISO27K is a default way to prove to everyone you are a good citizen» sounds appealing, but the appeal of the idea is in its deceptive psychological comfort and nothing more.

Of course it is not all that simple. Some minor organisational effort is still required — as described by countless howto's: remove everything you do not actually need (and stop gathering it «just in case»), get consent when appropriate and keep track on what you do both for yourself and for data subject.