The EU’s new General Data Protection Regulation (GDPR) is a set of rules that give consumers rights about how their data is stored, used, and deleted. This step-by-step GDPR guide for managers is a great place to start understanding it, or for something a little more dry and lengthy, try Microsoft’s guide to GDPR.

As a consumer, I love a lot of things about the GDPR. I’m sick and tired of software that phones home without telling us what data it’s taking, doesn’t tell us where the data goes or who sees it, and doesn’t give us the right to have it erased.

But for businesses, the GDPR is a little vague and more than a little scary. It gives EU citizens the right to be forgotten – which means when they ask, the business has to delete everything about that customer. Plenty of gotchas apply – like you have to keep enough to still pass a tax audit – but as an example of a really curious gotcha, what about your backups?

For example, do you have to delete the customer’s data inside your past backups? There’s a discussion about that, and it’s made even harder by products like Apache Kafka that don’t really support deletes.

I can only imagine how the initial round of enforcement attempts are going to go. It’ll be a wild West for a while as software vendors, service providers, consultants, lawyers, and judges struggle to figure this thing out.

The max penalties are terribad.

Up to €20M or 4% of your company’s annual worldwide revenue, whichever is higher. (2017/12/19 – Updated wording – thanks, Michael J. Swart!)

Those numbers are big enough to get business’ attention, so I figured that leading up to the May 2018 deadline, companies would start discontinuing services. Sure enough, Microsoft has made it official – Connect.Microsoft.com is a dead man walking:

If Microsoft can’t even figure out how to get Connect.Microsoft.com to work with GDPR regulations, how are small businesses supposed to cope? It’s gonna be tough.

Update Dec 18th afternoon – after this blog post was published, someone edited the home page of Connect so that it no longer shows the above reason, and now just has a generic we’re-changing-stuff message. This is why you take screenshots of web sites, heh heh heh.

We sell online training in the EU.

We’re a small business based in the US. We sell consulting & training for Microsoft SQL Server.

You wouldn’t think that would be a big deal – but you’d be surprised. For example, students send us information about their databases all the time as part of asking questions – and they often send it unsolicited, through unencrypted email channels. That information ends up all over the place: our mail server, our desktops, phones, laptops, search indexes, etc. I’m not really worried about us maintaining the confidentiality of that data, but now we’d have to add in new audit-able tracking.

See, under the GDPR, if someone asks us to delete their data, we not only have to delete it, but we have to audit that we deleted it, and maintain those records for EU authorities. And then respond to EU requests for that documentation.

But only 5% of our revenue is from the EU.

I know with exact numbers because a couple years back, the European Union decided to start making non-EU businesses collect tax online whenever EU citizens bought stuff – even if we, the seller, had no presence in the EU whatsoever.

This represented a new burden on us – we had to start tracking EU customer locations, collect taxes, and file taxes in the EU. Thankfully, the UK offered a VAT Mini One Stop Shop: register & file in the UK, and they would pay all your taxes to the different countries in the EU. With Brexit, there was already some uncertainty about how this would work going forward.

Back then, I was fine with the additional tax hassles & paperwork because it was 5% more revenue than we had before.

Today, between the GDPR and Brexit’s affect on the VAT Mini One Stop Shop – it’s just not worth the hassle.

So we’re gonna sit this round out.

For 2018, we’re not selling directly to folks in the EU anymore. Thankfully, the WooCommerce EU VAT Compliance plugin makes this as easy as checking a box:

That plugin is totally awesome – uses things like IP address, geolocation, credit card billing address, and more to determine location. Been really happy with it, highly recommended.

We’ll still keep the blog & mailing list open to EU folks – those are a little easier to manage – and we’re still doing SQL Bits 2018 since the conference organizers are the ones who track personal data, not us.

Long term, I’m hopeful that the GDPR will get sorted out in a way that protects consumers’ rights, and still lets businesses use off-the-shelf tools and policies to provide services to the EU. Hopefully the situation improves quickly and we can revisit that policy in 2019.

Update: Q&A from Reddit

There’s a very lively discussion on Reddit about the post (and a smaller one on HackerNews) and there’s a stunning amount of ignorance in the comments about how easy people think it’ll be to comply with GDPR.

Here’s some of the more educated comments:

pure_x01: “If you have any business or registry with members of the EU you have to follow the GDPR or you are not allowed to have the EU members in your database.” Bingo. This is what’s coming as a surprise to a lot of database folks. Even worse, it’s not just about databases – it’s about anywhere data ends up, like email, direct messages, and flat files on a network share.

Silhouette: “There is huge ambiguity from a legal point of view. Experts can’t even agree on whether things like old backup/archive material that is not in active use should be covered…. Lawyers and technical experts have been discussing these issues for months, and there is no consensus yet on many of them. If you think the answers are obvious, either you don’t understand the law or you don’t understand the technology.” Very well said.

iamapizza: “…many organizations are using the May 2018 deadline as a culling phase for products which were on the backburner anyway.” Yeah, agreed. The EU has never been a primary focus for us – 95% of our training revenue comes from outside of the EU. It was nice to have, but not worth the additional work & risk involved with GDPR compliance.

SauronsUnderpants: “If companies that cannot be arsed to care about our data are leaving, that’s a good thing for European consumers.” I don’t want your data, that’s the problem. I just keep getting it sent to me unsolicited, as I wrote above. I can handle the data we collect through normal channels, but I’m not about to build an auditing/tracking system for every other channel where folks can contact us. (Hell, if someone sends me their data, query, and email address via a Twitter DM, that’s conceivably a problem.)

0b_0101_001_1010: “So yeah, all in all this is a hard social problem, and solving it requires solving hard technical problems. It might not be worth it for a small company to solve it, but it looks like at least for the European society it is a problem worth solving.” – Nicely said. I look forward to seeing how the EU solves it.

Update: Compliance Info from Automattic

Automattic, the makers of WordPress & WooCommerce, just published some great resources:

WooCommerce: An Introduction to GDPR Compliance – “If you sell any products to customers based in the EU, or have EU visitors to your site, you’ll need to make sure your site complies with GDPR.” Again, driving that home to the folks who stick their heads in the sand.

Automattic and the GDPR: “We expect that Automattic products and services will be in compliance with GDPR requirements by May 2018.” And I’m really excited to see that – but I just need to see it before the fines go into effect. I’ve been burned by enough plugin bugs that I’d like to see ’em go live first.

CodeInWP’s WordPress GDPR Guide: really good place to start if you’re wondering how visitor data might get into your possession from various plugins. Lord knows you shouldn’t be processing credit card data yourself in the year 2017 – get Stripe.com and do it all on their end.

Update 2018/05/25: GDPR Day

Enforcement is now officially in effect, and looking back at this post from 6 months ago, I feel pretty good about our decision.

We stopped collecting a lot of data we didn’t need anyway, switched a few third party partners, and updated our privacy policy. Folks can request their data online and request erasure, and we don’t check whether they’re EU residents or not. Sure, it’s extra work for us – but I think it’s the right thing to do.

We’ve gotten a lot of press and questions around whether we’ll change our policies. Of course will, over time, when the standards are more clearly laid out and third party partners have built better tooling. Right now, though, it’s still too much of a wild west. (Hell, people still don’t even understand whether the law applies to EU citizens who aren’t EU residents.)