Indeed, this did not drop out of the sky. It has been in the works for years.
I run a business that follows EU DP best practices (and so was mostly GDPR compliant already) and the first I heard of it was mid 2017. My country's data protection agency made no attempt at raising awareness despite having my email address on file :-D It's only been frequently hitting non-EU industry news and places like HN since late 2017 so I can appreciate how non-EU folks might feel blindsided by it.
I run a business that follows EU DP best practices (and so was mostly GDPR compliant already) and the first I heard of it was mid 2017.
Likewise. This idea that the GDPR has been in the works for years so it's somehow implausible that very small businesses have only just heard of it doesn't stand up to scrutiny. No owner-run microbusiness is spending the time necessary to keep up with the vagaries of EU debates.
Similarly, the idea that the GDPR is plainly readable and so that shouldn't be a burden and no-one needs to consult experts makes no sense. The document is many pages long, there are many more pages of guidance and interpretation produced by both the EU itself and the various national regulators, and it's still fundamentally ambiguous on many significant practical points.
It is entirely reasonable for a small business that does relatively little trade with the EU not to want anything to do with this, and it has little if anything to do with how good or bad their practical data protection measures and respect for privacy are. If small businesses are overreacting then that is on the EU for failing to pass better law and provide sufficiently clear, concise and timely publicity and guidance on what it really means.
My business interests are in the UK, so we're stuck with this one. However, if we'd realised ahead of time how much trouble the new EU VAT rules would cause a few years back, we would gladly have sacrificed the modest part of our revenue that comes from other EU member states in order to avoid that mess, and it wouldn't have been a close decision. So I find it very hard to criticise anyone running a small business outside the EU for wanting to avoid the latest round of heavyweight EU regulations if they have a way to put themselves outside of their scope.
Thank you for perfectly describing the frustrations I have experienced with GDPR. As the owner of a small SaaS business in the US I don't have the time to follow various EU regulations that closely.
I only found out about GDPR earlier this year from a random HN comment. I can't understand the attitude from some HN commenters that everyone should have known about this for years. Where/how should every small business that could be impacted by this regulation be notified?
As you noted, the regulation is readable, but verbose and frustratingly vague. I ended up reading most of it along with countless articles from various third parties debating what it means and how to comply - and I'm still not 100% certain if the steps I've taken mean I'm actually "GDPR compliant."
I too got stuck having to comply since around 30% of my customers are in the EU. However, I gladly would have foregone all of that revenue and focused on non-EU customers only if I had known what was coming back then...
Nobody actually knows what "GDPR compliant" means. As it's up to you to demonstrate, and it's up to your regulator to decide a policy enforcement guideline, basically nobody knows. It's really, really, really burdensome, especially if you have to retrofit it to existing systems.
You know what? i'm pretty sure you can just talk to one of the european regulator in advance and ask him questions about points you don't understand. They are pretty slow but they do respond.
I'm probably a bit more in touch with this stuff than most because of the nature of my business but in the last year or so I've seen more and more companies that made real work of their GDPR impact studies (companies with vast amounts of data and/or sensitive data were further along). For all but the largest the impact has been very low, the longer ago they started the lower the amount of work they had to do.
That's the price of sitting in your office with your head down though, you can't ignore changes such as these.
This is one of the oldest HN mentions about the GDPR I could find:
I run a business that follows EU DP best practices (and so was mostly GDPR compliant already) and the first I heard of it was mid 2017. My country's data protection agency made no attempt at raising awareness despite having my email address on file :-D It's only been frequently hitting non-EU industry news and places like HN since late 2017 so I can appreciate how non-EU folks might feel blindsided by it.