Whois vs GDPR, latest news

Royce Williams royce at techsolvency.com
Sun May 27 01:42:46 UTC 2018


On Sat, May 26, 2018 at 4:57 PM Dan Hollis <goemon at sasami.anime.net> wrote:

> I imagine small businesses who do a small percentage of revenue to EU
> citizens will simply decide to do zero percentage of revenue to EU
> citizens. The risk is simply too great.

That would be a shame. I would expect the level of effort to be roughly
commensurate with A) the size of the org, and B) the risk inherent in what
data is being collected, processed, stored, etc. I would also expect
compliance to at least partially derive from
vendor/cloud/outsource/whatever partners, many of whom should be
scaled/scaling up to minimally comply.

I would also not be surprised if laws of similar scope start to emerge in
other countries. If so, taking your ball and going home won't be
sustainable. If small, vulnerable orgs panic and can't realistically engage
the risk, they may be selecting themselves out of the market - an "I
encourage my competitors to do this" variant.

Naively ... to counter potential panic, it would be awesome to crowdsource
some kind of CC-licensed GDPR toolkit for small orgs. Something like a
boilerplate privacy policy (perhaps generated by answers to questions),
plus some simplified checklists, could go a long way - towards both
compliance and actual security benefit.

In a larger sense ... can any org - regardless of size - afford to not know
their data, understand (at least at a high level) how it could be abused,
know who is accessing it, manage it so that it can be verifiably purged,
and enable their customers to self-manage their portion of it??

I'm personally a big fan of undue diligence and all, but we need to
advocate for some ... realistic scaling of response.

Royce



More information about the NANOG mailing list