Update 2021-03: We now sell our training classes worldwide here.
The EU’s new General Data Protection Regulation (GDPR) is a set of rules that give consumers rights about how their data is stored, used, and deleted. This step-by-step GDPR guide for managers is a great place to start understanding it, or for something a little more dry and lengthy, try Microsoft’s guide to GDPR.
As a consumer, I love a lot of things about the GDPR. I’m sick and tired of software that phones home without telling us what data it’s taking, doesn’t tell us where the data goes or who sees it, and doesn’t give us the right to have it erased.
But for businesses, the GDPR is a little vague and more than a little scary. It gives EU citizens the right to be forgotten – which means when they ask, the business has to delete everything about that customer. Plenty of gotchas apply – like you have to keep enough to still pass a tax audit – but as an example of a really curious gotcha, what about your backups?
For example, do you have to delete the customer’s data inside your past backups? There’s a discussion about that, and it’s made even harder by products like Apache Kafka that don’t really support deletes.
I can only imagine how the initial round of enforcement attempts are going to go. It’ll be a wild West for a while as software vendors, service providers, consultants, lawyers, and judges struggle to figure this thing out.
The max penalties are terribad.
Up to €20M or 4% of your company’s annual worldwide revenue, whichever is higher. (2017/12/19 – Updated wording – thanks, Michael J. Swart!)
Those numbers are big enough to get business’ attention, so I figured that leading up to the May 2018 deadline, companies would start discontinuing services. Sure enough, Microsoft has made it official – Connect.Microsoft.com is a dead man walking:
If Microsoft can’t even figure out how to get Connect.Microsoft.com to work with GDPR regulations, how are small businesses supposed to cope? It’s gonna be tough.
Update Dec 18th afternoon – after this blog post was published, someone edited the home page of Connect so that it no longer shows the above reason, and now just has a generic we’re-changing-stuff message. This is why you take screenshots of web sites, heh heh heh.
We used to sell online training to the EU.
We’re a small business based in the US. We sell consulting & training for Microsoft SQL Server.
You wouldn’t think that would be a big deal – but you’d be surprised. For example, students send us information about their databases all the time as part of asking questions – and they often send it unsolicited, through unencrypted email channels. That information ends up all over the place: our mail server, our desktops, phones, laptops, search indexes, etc. I’m not really worried about us maintaining the confidentiality of that data, but now we’d have to add in new audit-able tracking.
See, under the GDPR, if someone asks us to delete their data, we not only have to delete it, but we have to audit that we deleted it, and maintain those records for EU authorities. And then respond to EU requests for that documentation.
But only 5% of our revenue was from the EU.
I know with exact numbers because a couple years back, the European Union decided to start making non-EU businesses collect tax online whenever EU citizens bought stuff – even if we, the seller, had no presence in the EU whatsoever.
This represented a new burden on us – we had to start tracking EU customer locations, collect taxes, and file taxes in the EU. Thankfully, the UK offered a VAT Mini One Stop Shop: register & file in the UK, and they would pay all your taxes to the different countries in the EU. With Brexit, there was already some uncertainty about how this would work going forward.
Back then, I was fine with the additional tax hassles & paperwork because it was 5% more revenue than we had before.
Today, between the GDPR and Brexit’s affect on the VAT Mini One Stop Shop – it’s just not worth the hassle.
So we’re going to hold off selling to the EU for a while.
For 2018, we’re not selling directly to folks in the EU anymore. Thankfully, the WooCommerce EU VAT Compliance plugin makes this as easy as checking a box:
That plugin is totally awesome – uses things like IP address, geolocation, credit card billing address, and more to determine location. Been really happy with it, highly recommended.
We’ll still keep the blog & mailing list open to EU folks – those are a little easier to manage – and we’re still doing SQL Bits 2018 since the conference organizers are the ones who track personal data, not us.
Long term, I’m hopeful that the GDPR will get sorted out in a way that protects consumers’ rights, and still lets businesses use off-the-shelf tools and policies to provide services to the EU. Hopefully the situation improves quickly and we can revisit that policy in 2019.
Update: Q&A from Reddit
There’s a very lively discussion on Reddit about the post (and a smaller one on HackerNews) and there’s a stunning amount of ignorance in the comments about how easy people think it’ll be to comply with GDPR.
Here’s some of the more educated comments:
pure_x01: “If you have any business or registry with members of the EU you have to follow the GDPR or you are not allowed to have the EU members in your database.” Bingo. This is what’s coming as a surprise to a lot of database folks. Even worse, it’s not just about databases – it’s about anywhere data ends up, like email, direct messages, and flat files on a network share.
Silhouette: “There is huge ambiguity from a legal point of view. Experts can’t even agree on whether things like old backup/archive material that is not in active use should be covered…. Lawyers and technical experts have been discussing these issues for months, and there is no consensus yet on many of them. If you think the answers are obvious, either you don’t understand the law or you don’t understand the technology.” Very well said.
iamapizza: “…many organizations are using the May 2018 deadline as a culling phase for products which were on the backburner anyway.” Yeah, agreed. The EU has never been a primary focus for us – 95% of our training revenue comes from outside of the EU. It was nice to have, but not worth the additional work & risk involved with GDPR compliance.
SauronsUnderpants: “If companies that cannot be arsed to care about our data are leaving, that’s a good thing for European consumers.” I don’t want your data, that’s the problem. I just keep getting it sent to me unsolicited, as I wrote above. I can handle the data we collect through normal channels, but I’m not about to build an auditing/tracking system for every other channel where folks can contact us. (Hell, if someone sends me their data, query, and email address via a Twitter DM, that’s conceivably a problem.)
0b_0101_001_1010: “So yeah, all in all this is a hard social problem, and solving it requires solving hard technical problems. It might not be worth it for a small company to solve it, but it looks like at least for the European society it is a problem worth solving.” – Nicely said. I look forward to seeing how the EU solves it.
Update: Compliance Info from Automattic
Automattic, the makers of WordPress & WooCommerce, just published some great resources:
- WooCommerce: An Introduction to GDPR Compliance – “If you sell any products to customers based in the EU, or have EU visitors to your site, you’ll need to make sure your site complies with GDPR.” Again, driving that home to the folks who stick their heads in the sand.
- Automattic and the GDPR: “We expect that Automattic products and services will be in compliance with GDPR requirements by May 2018.” And I’m really excited to see that – but I just need to see it before the fines go into effect. I’ve been burned by enough plugin bugs that I’d like to see ’em go live first.
- CodeInWP’s WordPress GDPR Guide: really good place to start if you’re wondering how visitor data might get into your possession from various plugins. Lord knows you shouldn’t be processing credit card data yourself in the year 2017 – get Stripe.com and do it all on their end.
Update 2018/05/25: GDPR Day
Enforcement is now officially in effect, and looking back at this post from 6 months ago, I feel pretty good about our decision.
We’ve gotten a lot of press and questions around whether we’ll change our policies. Of course will, over time, when the standards are more clearly laid out and third party partners have built better tooling. Right now, though, it’s still too much of a wild west. (Hell, people still don’t even understand whether the law applies to EU citizens who aren’t EU residents.)
Update 2020/09/22: Still No Easy Compliance
I was hoping to get EU/EEA sales opened back up for this year’s Black Friday sales, but then EU courts struck down the Privacy Shield law. As a small business, I just can’t afford to dedicate legal and technology resources while the EU figures out how their laws are going to work.
I still hope at some point it’ll be easy for me to meet EU compliance goals, but when giant companies can’t do it, I don’t stand a chance.
I understand your reasoning for this, but what happens about the Enterprise training bundle that has been promised to attendees of your SQLBits pre-con in February? Is that exempt because it will be free, or possibly because it falls before April? Or neither.
Thanks very much
Yep, as we noted in the post, we’ll still do the precon. Thanks!
No, the training bundle that comes with the pre-con attendance?
“Attendees get videos, too: you’ll get one year’s online access to our Enterprise Bundle – over 40 hours of online training covering query plans, index tuning, statistics, clustering, and much more. That way, you can dig even deeper into the material we’ll be covering in class. (That’s a $599 USD value, and it pays for the class right there!)”
Yep, you’ll be taken care of. Thanks!
Thank you, appreciate it.
What about existing subscriptions? Will they be terminated ?
No, but we’ll just stop *selling* stuff to Europe. So things like renewals will stop working, and subscriptions won’t renew. Just heading off risk from future sales.
So, the real answer is “yes”, existing subscriptions will be terminated at the renewal date. Which, more-or-less, just begs the question: how is this going to help get you off the hook? You still have data which may, or may not, fall under the GDPR rules and some A-hat might, or might not try it on.
Andrew – oh yeah, sorry, I misunderstood the question, my bad. Yes, subscriptions will be terminated. It doesn’t get us off the hook – it just reduces our exposure going forward. Microsoft faces the same problem – if they retain any backups of Connect data, EU folks could conceivably ask to be forgotten out of that. It’s a heck of a mess. The best I can hope is that our past customers aren’t A-hats, hahaha.
well well, someone got out of bed the wrong side this morning 😉 maybe that someone was me. Anyway, judging from the number of podcasts talking about GDPR compared to the number of people talking about it in DBA teams I’ve been involved with, either we are heading for what people thought what might happen with the millenium “bug” or we are heading towards what really happened with the millenium “bug”, or something in-between. If the legal es aitch eye tea does hit the eff ay enn then the EU is going to be so busy studying its own belly button that brexit will be forgotten and the USA really will be (comparatively) great(er) again.
P.S. please delete my… no, just kidding.
You seem to be on a rant without really understanding the law. You really need to read and understand the GDPR before you make more comments about it.
Example: There are many exemptions for the “right to be forgotten” and the GDPR doesnt stand above other legislation, so if you need data for accounting purposes or simular then you just write kindly back and say it is not possible and the arguments.
If you have types of data people can request deleted, and you are worried about your backup then you can e.g. make a process where you remove the inviduals that requested deletion between the backup was taken in the rare case you need to restore it. You are not meant to remove individuals from each backup that is stored.
Actually very little in this legislation is new.. except the possible fines.
Thomas – those are your opinions, and that’s great. Unfortunately I can’t use your opinions with the EU when they come calling – I have to use my attorney’s, and he’s not quite as comfortable (or cheap) as you are.
(Also, just to be really clear – nobody’s completely off the hook with GDPR. Like I noted in the post, both the blog and the mailing list present challenges – heck, even your email address for this blog post comment might present problems.)
Dont take my word for it, but dont fall for the snake oil many consultants are selling, but you are right in that there is a cost and one have to think about/document how data is processed.
The email address is an identifier and that make the attached informatin personal information, but it is not sensitive information, so unless you are using the e-mail address for marketing purposes, sell it to data brokers etc then you have very little to worry about.
Thomas – you clearly don’t even understand the business we’re in: giving advice on databases. I appreciate you stopping by, but you’re barking up the wrong tree.
As a UK-based subscriber to your “Recorded Class Season Pass” (I think it initially had a different name), I find this disappointing but I can understand the uncertainty GDPR/Brexit brings & so hope a resolution appears before my subscription needs to be renewed.
Mike – absolutely, agreed. I’m guessing the first year will be a total bloodbath of legal fees, and there will be some standardizations & corrections made.
I don’t think this actually lets you off the hook though – won’t any data processed under existing data processing regimes will now need to be handled under GDPR? As will, for example, any comments posted to this site by people from the EU.
Simon – oh absolutely, like I mentioned in the post – we’ll still keep the blog & mailing list open to EU folks – those are a little easier to manage.
Should be interesting to see how the GDPR pans out. I imagine that first fine against a small company will get some big news in the tech world. I’m a bit surprised that we aren’t hearing about more businesses pulling out due to concerns about the fine structure. Maybe they think they’re in good shape as far as data retention?
From my conversations with SaaS companies, I think most folks still don’t know about the gotchas with the GDPR. Most of the DBAs I ask about it have a completely blank face reaction.
I work in a hospital, we must keep records for 20 years as per local laws. If an EU citizen wants data removed across all our systems, how do we comply? Do overseas laws apply to businesses who do not operate online?
Dang, now that you mention it. There’d have to be exemptions for compliance with other laws?
I could see some trolling going on with people asking to be opted out then asking about themselves under relevant FOIA-like requests. Heck, I could see some trolling from people asking on behalf of others to have all their information deleted, and then the real person being upset their history is irrevocably lost.
Andrew – bingo, and Lord knows we have trolls in this community with an axe to grind and nothing better to do.
@ Andrew: Offcourse there is. As an example you cannot ask the police to delete a criminal record or the parking fine you havent paid yet. The tax authorities will probably also laugh if you request to be forgotten in order not to pay any tax.
@AG: The law apply even to all data processing, but please read article 17 – there are many excemptions and data about patients in hospitals could fall under eg. Article 17(1a).
Thomas H – again, you are simply flat out wrong. You wrote:
> you cannot ask the police to delete a criminal record
You can. Anyone can ask for anything they want. This is the hassle of the GDPR – businesses now have to figure out what people have the right to delete, and what they don’t, and track all of it. They also have to be able to legally defend that decision, and all of that costs money.
In your world, people are well-educated, always follow the rules, and never waste anyone else’s time. Unfortunately, we are not in your world. This is the Internet. People are different here, and they will absolutely troll businesses in order to waste their time.
If it’s for the purposes of medical diagnosis, then there is a provision in the GDPR that slightly different rules apply (my source for this is https://www.hldataprotection.com/2016/01/articles/health-privacy-hipaa/the-final-gdpr-text-and-what-it-will-mean-for-health-data/).
However, I suspect the only impact of GDPR is really if you trade in an EU state. If you’re a US-based healthcare provider and your site specifically states that you’re not trading in the EU and don’t abide by the “Safe Harbor” regulations, then you probably don’t need to worry about the GDPR. If you’re not online, you can probably safely ignore it I’d think.
(Note: I am not a data protection lawyer, nor do I play one on TV, but I did work in government in the EU for 10+ years and am currently doing some GDPR implementation work for my employer)
As far as I know hospitals are excluded from GDPR. As far as your last sentence if I understand correct GDPR applies to all business that posses and process personal data
I see a business opportunity for me. Ill simply become a dark alley reseller. I take money, provide, purchase, keep no records of tracsactions. Does no data = compliance?
The problem is logins. Folks need to access their data, which means email addresses to reset passwords, and bingo, you’ve got PII.
not really, passwordless login solves that (email an access token to the user’s email), and unique encrypted email, so nothing personal is stored, anyways, cant just a “Are you european?” checkbox solve that? (yep, europeans became the new bots to get rid of) and if they say yes, then deny the service/access/ban ip and if they lie… well, they lied to gain access, ToS should take care of that… or what do you think?
How does the 2018 Live season pass work? Will I still be able to en role on the classes, I know they come up as ‘$0.00’ but you have to add them to your basket and purchase them, will the wooCommerce plugin block this?
Nope, you’ll be safe there. Thanks!
People , People, someone just needs to fill the big boots of the OZAR team in the EU and we are good to go.
I see a business opportunity here , franchise anyone
I wouldn’t be surprised if some marketplaces handle storing of most of the account data and provide a web-hook with an id to delete the records from the client system, to handle just this going forward.
I find it interesting that Brent is more or less saying he’s willing to forgo what is essentially profit because of the risk of this system. Let’s face it, his videos and his overheads stay the same – the money he is losing is off the top. It wouldn’t surprise me if smaller vendors who aren’t capable of responding quickly to this aren’t making the same noises. Even though there’s time to implement for it, that time goes quickly.
Andrew – yep, exactly. The problem is that both VAT accounting and filing, plus GDPR compliance, mean it’s not off the top anymore. We’d basically need a new FTE to do justice to compliance. If I assign those duties to a consultant, that takes away billable client time, and that doesn’t make financial sense.
You are offering consulting and training on database administration and aren’t confident on how to delete personal data from your own databases?
Try reading the post, chief. Specifically:
For example, students send us information about their databases all the time as part of asking questions – and they often send it unsolicited, through unencrypted email channels. That information ends up all over the place: our mail server, our desktops, phones, laptops, search indexes, etc. I’m not really worried about us maintaining the confidentiality of that data, but now we’d have to add in new audit-able tracking.
In this specific example i do not think you can be held responsible for the wrongdoings of your students
The are the ‘data owner’ or the ‘data processor’ mentioned in the GDPR papers.
If they send sensible information from their database, to you, they are the ones with the problem, not you
That would be the same as saying that a webhosting company was responsible when one of their custumers post sensible information on the custumers website, hosted by you
Peter – again, that’s great that you have that opinion, but that’s not what our attorneys came up with, and the level of risk was high enough that it wasn’t worth the 5% of our revenue to risk fines.
i did think about the wording and thought it was to vague, but couldn’t change the comment after saving 🙂
the way everybody i know of is interpreting this (here in europe) and are changing their policies to say is ‘in this specific example you will not be held responsible…’
…but if your lawyers and advising against that, i fully understand you don’t take chances
We are sweating over this in a major global company. That line about the risk not being worth the reward is bang on the money for an awful lot of decisions we are having to make.
As you’ve said, it’s not so much the technical issues of finding and removing information on request – that’s arduous but doable – but auditing the information for a lifetime is just hell on earth (or doubling IS staff, just for auditing implementation, support, answering requests, validation etc.)
It’s a minor part of the equation, but it should be pointed out that the VAT Mini One-Stop Shop (MOSS) scheme is not unique to the UK. You can register, the same way you did in the UK, in any other EU member state and file your VAT there. The MOSS scheme does contemplate change of member state of identification, with no quarantine period, and the switch can be made on the same day, as per https://europa.eu/youreurope/business/vat-customs/moss-scheme/index_en.htm
mf – yep, but we’ve run into enough paperwork with the MOSS scheme that we decided to draw the line here. Like I wrote in the post, the GDPR was the tipping point where we said alright, that’s about enough work & risk for us – it’s beyond our tolerance point now.
You are forgetting EU citizens that may be based in the US.
Nope, not forgetting them at all. Just reducing our risk exposure.
I see this post as further proof that GDPR is the best thing the EU has ever come up with.
If companies that cannot be arsed to care about our data are leaving, that’s a good thing for European consumers.
Chris – I dunno, I’m a huge fan of the passport portability. It’s really cool that you can use an EU member passport to travel anywhere in there without hassles. Having flown a lot and seen the short EU member lines vs the outsider lines, that’s a pretty cool perk too.
What I like best about the EU is that it was started to keep Germany from bullying everyone and now… uh…
Let’s stick with Brent’s thing about the passports.
No Erik, the UK joined the EU (then EEC) to drive a wedge between Germany and France, France joined to be able to support it’s inefficient farming system and make everybody buy their produce, and Germany joined to cleanse themselves of genocide and apply for re-admission to the human race…… and you think it’s nuts over there under Trump!
John, Such statements cries for someone with just a little knowledge of the history of EU, who has benefitted the most from their membership etc, to reply, but i am afraid it will not help
It’s a quote (or nearly so) from a UK comedy show called “Yes Minister”.
If you think that Germany ever did anything wrong, you are beneath contempt.
Speaking of trolls…
Dont forget the EU was a continuiation of the EGKS and before that the BLEU (Belgian Luxemburg, afterwards joined by Holland)
For me to forget that, I’d have to know it in the first place.
That’s not true. It’s very unbalanced re-privacy, I am a small designer/inventor in Australia. I rarely sell to the EU, but do to the UK. Whilst I sell through Etsy, Etsy has covered themselves by telling us we all have to get separate legal advice and draft our own privacy policies to be GDPR compliant. As ridiculous and vague as that is, the most worrying thing for me is (apart from the vagueness, the threatening tone of the large fines and the cost of it) is that same privacy does not apply for businesses selling on these platforms. To comply we HAVE to put all our contact details including addresses where the public can see. Many of us are home based businesses and I would never share that info publically online. So why are businesses not protected by the same privacy laws?! I’ve pulled out of selling in the UK and EU as it is not worth the risk…
With regard to the VAT Mini One Stop Shop you can relocate to different EU country with English as an official language, e.g. Ireland, Malta or Gibraltar.
Mirek – yep, scroll up a little and that was discussed in the comments. Thanks!
Would it be an option to only allow “corporate” accounts to use the service from Europe? Things like a checkbox “this isn’t my private contact info” so we could use a generic info@ or training@companyname and the company’s registered address instead of PII?
Tom – it might be possible, but I don’t have a good automated way of ensuring that it really is a company on the other end. I’ve learned over time that people will just click any checkbox to get what they want, and then I have to deal with the aftermath. To really defend ourselves legally, I’d want our attorneys to spend a lot of time working with us to build the right process – and that’s expensive. The ROI just isn’t there right now.
So, if I have a patient from the EU, I need to find a way to delete that patient from my .bak files, purge their data from my ETL services and notify all my data partners to also purge that data?
And I can’t turn them away, because we are a hospital?
James – yep, welcome to the reality of doing business with the EU.
You’re only scratching the surface, too – it’s much bigger than that. Enjoy!
It’s a shame you feel you can’t sell to EU now because of their stupid business killing protectionist tax rules. Another reason I can’t wait for UK to leave that commerce stifling club, then we can do business free of sales tax markups as I do when selling to the US.
However GDPR will never go away, and even with Brexit we’ll be fully committed as so much of UK business happens with the rest of the EU, so it is being enshrined in UK law anyway. It will require case law to iron out the very big wrinkles in the ambiguous regulations, and everybody will be waiting to see who is the one with the resources to take up the legal fight. 10 million is enough to sink all but the larger businesses – I can’t blame you for staying away from that crap.
Yes, agree with you John, its going to be very interesting to see what happens over the next year or so…
As European I am happy the regulation will finally force US companies to stop selling our personal data without our consent. It also means such data will have to be protected and cannot be available to just anyone. I understand the ‘Right to erasure’ is most controversial, not only to you but also to lots of companies in EU (who is to be protected by this, you guess). And, it does NOT mean the data have to be deleted from backups! Panic do not! There are lots of comments on this topis on the Internet (I suggest to read those from EU). Uncle google is your friend 😉
Marek – as much as I’d love to use a comment from the Internet as proof in a court case, that’s not exactly how business works.
Thanks for stopping by, though.
I’m just curious where and when you went to law school, Brent? Where did you pass a bar exam? Barring that, have you actually gotten a professional opinion from an experienced attorney who specializes in this type of law? Have you researched any case law about similar laws and regulations?
Obviously, you can run your business exactly as you see fit and state any opinions you like on your own blog, but I’m a little unclear on your professional qualifications to seemingly dispense legal advice. Just as I would be suspicious of an attorney giving medical advice or a doctor giving database tuning advice.
Personally, I think there might be some jurisdiction and enforcement issues with the EU trying to go after a non-EU company with no physical presence in the EU. I also think the EU would not be highly motivated to try to go after a small business in a non-EU country, such as Brent Ozar, Unlimited. But that is just my non-professional opinion…
I think it is a good thing to talk about GDPR and what effect it might have on companies, along with what practical steps data professionals should be taking to help prepare for it (and other similar future and existing regulations and laws). On the other hand, fear-mongering is not really that helpful.
Glenn – yep, I’ve worked with our attorneys on it over the past year. Thanks for checking though!
My hat is off to you for handling daggers with such professionalism!
Ol’ Glenn appears to have not read the full article or at least not been able to digest it. Otherwise, he would have seen that you had been advised by your legal firm to make the decision that you have.
And then he comes back with the snotty reply implying that you don’t have knowledge in this area, and that you’ve not done due diligence, and therefore you should shut up.
Very well handled, Brent. You’re a better man then me!
Van – heh, well, I’ve known Glenn for years, and I know he has good intentions.
I’m not such a good guy if you read my reactions to the comments from people I don’t know as well, hahaha.
LOL! With friends like these…
What the… is’nt there a loophole, like having me accept that you can keep my data?
Theo – no, because you can change your mind at any time and invoke the right to be deleted later.
I’m a fan of that because company behavior can change. For example, I used to be okay with Experian holding my financial data, but boy, have they proven to have some challenges over there. I’d love to be able to tell them to delete everything they know about me.
Good point… did’nt think of that one. 🙁
You can give permission, but it’s the overhead of managing others that might then decide they want it deleting – plus the risk of sanction if there is a data loss through breach. Though I would have thought there must be some sort of similar requirement to notify of data breach in the US also.
I hope your business to Canada is not too important either. Our Prime Minister has committed to reviewing the Canadian Privacy law to the level of GDPR. So you might end up having to cut off all your business as privacy laws worldwide follow suit…
GDPR should be seen as a trendsetter, not an exception. Personal Data is just as important as credit card data, and I’m fairly sure you are careful about that one,since you can’t run a Business without money, payment is kinda important right?
EU is the first to put it out on the wall. Besides, when Visa threathens to send it’s forensic folks and put a stake in business’ heart, people listen no?
Btw: have you check if you have malaysian customers ?
LL – make sure to read the entire post, including this paragraph:
“Our Prime Minister” (notice the P and M… the brainwash is real) the peoplekind guy? the same guy that cries over anything, the same guy that refuses to give answers and repeats the same nonsense over and over? the same one that is 100% feminist but sexually harrased women in the past and the best he came with is he cant remember? aw, canadians, y u so cute 🙂
An interesting approach to managing this would be segment all _identifying_ data and make that easily deletable. For example, one of our systems maintains user/email/contact info all tied to a distinct GUID for the person. If the information was purged from those few tables, but all other information was retained, it would be impossible for anyone to ever know it had ever been tied to an EU person, because all identifying details would be gone — even though much of the non-identifying user data would remain. If you additionally segmented that data into separate backups with a shortened retention span, you could solve the backup issue, as well.
This may not fulfill the letter of the law, but it would make it very difficult to prove you weren’t following it.
Sneaky – sure, but try doing that with ISV apps. You’re lucky if you can add an index, let alone separate columns of tables into separate databases.
So you’d have to delete all the information, and keep an audit that you deleted it. How do you keep an audit without having any PII in it?
“We have deleted the information of P. Sherman, 42 Wallaby Way, Sydney from our system.” Whoops, PII.
You can audit using a hash of the original data. Use that hash to ensure that the data is still not identifiable. This, of course, means we need to rely upon a centralized location to get a list of people that want to be anonymized from a system, which is NOT what I have been able to find yet.
Brent, I think you are overreacting, the EU would be horrified that businesses outside the EU would stop trading with them because of this regulation. The enormous fines you mentioned are UP TO that amount. Ten factors are considered before a fine is imposed.
To get a stiff fine you would have to have your user database stolen, and that caused damage to those users, and you knew your security precautions were weak, and you subsequently did nothing to mitigate damage to those people, and you have a past history of data protection infringements, and you have refused to cooperate with the relevant EU authority, and the types of data is likely to cause most damage, and you failed to notify the EU, and you have no approved certification for a code of conduct, and there are other aggravation factors.
In other words, you have to be a pretty shitty company to get a stiff fine from the EU. If you are making sincere best efforts to comply you are unlikely to be fined, in other others commonsense usually prevails 🙂
Jim – you forget about the cost of dealing with an inquiry. As a small business, we don’t have a full time legal team that we can devote to that kind of thing. Hell, even just dealing with the EU VAT took a significant percentage of our admin’s time. It’s just not worth the expense when it’s only 5% of our training revenue.
Good point, but as a business person I will take the revenue and deal with the problem IF it occurs. There is a high probability you will not have to deal with any GDPR issues. I will want proof there is a problem before I will lose any revenue from my business.
Jim – wow, sure hope you’re not dealing with my data.
YOUR data is safe Brent, I’ve dealt with the EU in the past, as long as you are making your best efforts, you will have no problems.
I love how you assume that I haven’t, hahaha!
So you would continue a customer that provides 5% of your revenue but costs you 6% of your revenue?
I guess you can make up the difference in volume 😉
Right, and he’d only find out when it was too late. Oopsie! So much for that business.
[…] Dublin Datacenter Case (09:30) Data Law (Brad Smith, Microsoft) (12:00) Brent Ozar’s post on GDPR (23:00) ClearDB deleted Frank’s data (25:00) Andy is not selling in the EU (26:40) Soup nazi […]
I’m living in Europe but not in an EU country (fortunately). However, GDPR is a big pain point for us as well as we are so depending on the European market. On the other side personal data has been abused (by governments and companies) and everybody has the right to be protected. EU being EU, they have created another bureaucratic monster that will keep everybody busy not thinking about the consequences too much.
Until certain legal aspects become clearer I think you’ve made a wise but sad decision. The bits that are poorest defined are around enforcement and international cooperation.
GDPR is manna from heaven for data professionals and consumers. It makes things that data professionals have wanted a long time a legal necessity. There are countries other than Canada that are outside the EU and looking to implement data regulation similar to GDPR.
For UK companies whining about GDPR I have little sympathy. It’s basically the existing Data Protection Act on steroids. If companies had been playing anything other than lip service to that law they would not be so worried about GDPR.
The 4% of revenue €20 million fine is for abuse and breaches. Failure to have suitable mechanisms in place and administrative procedures carries a fine of 2% of revenue or €10million.
Right of erasure is less worrying than right to demand data be corrected.
The regulation puts privacy and consent at the heart of everything. It says that consent has to be explicit and informed and not suckered into by fancy legalise and obscurity. Those companies who are upfront and honest with their customers are more likely to gain consent.
Governmental regulations have never helped one single consumer. Every one of them are a lousy substitute for basic liability laws, privately claimed and litigated. Government fines go to the politicians, not to the victims, if any.
So you would do away with which of the following:
1. Water and sewage regulations (local, state, federal)
2. Highway construction rules and regualtions (lane width, ramp configuation, overhead clearance, speed limits, ….)
3. Automotive rules (seat belts, leaded gasoline, lighting configuration, air bags, safety glass,…)
4.Building and fire codes?
BTW what are the “basic liability LAWS” anyway if not guvernment regulation. Regulation is certainly the basis for a lot of litigation.
I am no fan of government and strongly support RR’s saying “Governement IS the problem”. None-the-less unrestrained markets would lead us back to a Dickensian world.
You still don’t get it, do you ?
Here in Europe we do care about privacy.
Otherwise we’ll end up one day waging ‘war on terror’ in some
god forsaken place. I make a purchase : That’s it ! WTF give’s you the right
to keep my personal information? I understand that for the Americans it is a hard concept to grasp since
they live in a totalitarian state. Just keep showing those nice american flags in every movie and be happy.
Admin – try reading the post. Thanks.
WTF gives you the right to speak for all Europeans. “Here in Europe”?….. I live in the EU country and Im sick of it! The EU is successfully turning into a dictatorship. First the VAT cr*p that ruined many small-business graphic designers, effectively making it bureaucratically impossible to sell to the EU customers. Now this new cr*p. Thank you very much, not everyone in the EU is impressed like you!
I have 2 interesting questions. If the GDPR is supposed to protect EU members\citizens information, what happens when it is the other way around. I subscribe (other that SQL) to two training sites based in England. How are EU companies dealing with this for non-EU citizens? Second part of my question is you are no longer selling to EU members. What about Britain who currently is an EU country but is on the path to leave the EU?
As the UK is implementing GDPR and played a very large part in driving the regulation it’s going to be as per EU.
If your data is held in the EU or UK then you probanly have the same protections regardless of nationality
I think your missing a point. It is not a matter of where the data is stored or where your company is operating. The question is whether the customer/user is in the EU.
The EU is moving toward an ultimately unacceptable position. To wit, If an EU citizen travels to SomeWhereBeyond, USA and buys a widget. Then the widget vendor is subject to EU Environmental, Privacy, Packaging, and VAT.
Ray – just for the record, I’d be totally okay with a universal standard for this kind of thing. The part that’s untenable is different accounting, legal, security, etc requirements for different visitors without an ability to identify where the visitor is from. Without knowing who the visitor is, it’s impossible to comply with laws that conflict between countries.
What types of privacy data does the GDPR protect?
Basic identity information such as name, address and ID numbers
Web data such as location, IP address, cookie data and RFID tags
Health and genetic data
Racial or ethnic data
The Utah Data Center, it seems, was a waste of money after all.
You can be fairly confident that the Utah data center isn’t doing anything the legal way, hahaha.
I think you are all missing a point. The regulation says that it’s not forbidden to store customer data (if he so agrees).
It’s just that you can’t store this data that could,in case of a security breach, be identifiable.So example : If you erase customers data (name,surname,whatever…) you have this data stored in a separate encrypted table/file (linked through customer_id,possibly on another server) then you’re ok. Another thing you must have: a plan who can access this data. Which persons. This is how we have setup the thing here and were ok with the legislation.
Admin – you’re missing a lot of parts about the GDPR like the right to be forgotten, but thanks for stopping by.
Brent, fair play on the way you handle these idiots/trolls. I guess you can use your own right to “forget about the trolls posting stupid comments on an interweb forum” ;o)
According to Froud, GDPR is not only for EU. http://www.davidfroud.com/gdpr-not-just-eu-citizens-or-residents/
Alan – make sure to read that entire post in detail, especially the part at the end about “doing business with Union-based organisations.” He’s saying that if you’re not in the EU, but you deal with an EU-based org, then you get extra rights you might not have had before. (We’re not an EU-based org.)
Just curious. In the annals of BrentOzar.com is this the most contentious or most debated post you’ve made? It certainly seems to have dragged on a long time 🙂
Ray – that dubious honor falls to a post which is 8 years old and still going strong:
Ahh, I forgot about that one. I think I chimed in on it a couple of times. Your post on not rebuilding indexes generated a little noise also.:)
Brent, my point exactly. I was referring to Scenario 2. Doesn’t that give US based companies a little extra breathing space? Not sure what that translates to someone like you. You don’t have to comply entirely, but partially? What exactly will US company be liable for?
Alan – no, sadly, this line is chock full of problems:
“who has made no effort whatsoever to market/aim their services to anyone outside of the US”
If someone subscribes to our mailing list, for example, and we send them an email to buy our services…whammo.
Hmm.. I am sure you know better and involved legal. I thought that companies with less than 250 people are somewhat at ease at this time. Article 30, Paragraph 5. http://www.privacy-regulation.eu/en/article-30-records-of-processing-activities-GDPR.htm also Plain English explanation is helpful here (need to download Excel file) http://www.davidfroud.com/free-resource-the-gdpr-in-plain-english/
Alan – again, you’ve gotta read the fine print, like the “unless” section in the 250-employees part.
I really appreciate your work to educate me, but yes, I’ve been through this in detail.
There is a fab new tool in SSMS 17.5 that helps with the GDPR spadework. (more on my site)
Richard – yep, it’s also on our site: https://www.brentozar.com/archive/2018/02/new-sql-server-management-studio-17-5-classified/
ah shucks, sorry Brent
No worries! The more folks that help get the word out, the better.
Brent, have you heard much about social media as it relates to GDPR? What if someone from the EU has left a post(s) on your facebook or twitter account and that person eventually decides they want to be removed from your database? Do you now have to go back through your social media data looking for posts from that person and delete them?? How crazy would this be ??? LOL!!!
Brad – the way I understand it, we’re not the controller or processor for that. The other networks would be. Thank goodness!
yes, that would be insane for sure!!!
Maybe everyone is just way too worried about how this will affect companies like yourself who do not actually have operations situated in the UK/EU…
Take a read of this for Canadian companies – specifically at the bottom… I wonder if this is really what will most likely happen – unless of course there is gross negligence…
Yeah, it’d be really rare. Like a US company arresting a German executive whose company was under investigation, and he just happened to come to the US on vacation.
Oh wait, that happened too: https://arstechnica.com/cars/2017/01/vw-exec-arrested-during-miami-vacation-over-emissions-scandal/
I understand that you’re not worried, but I’m going to hazard a guess that you also don’t own a company that is providing a roof over the head of your employees and their families. Changes your perspective a little, and you become a lot less interested in risking problems with some random government somewhere.
Yes, I certainly don’t disagree with your stance.. I get it for sure… I am just thinking that generally with a lot of things like this with potential big changes there tends to be a lot of hype and worry heading into it … As you said in an earlier post , there will likely be a year or two cool down period after it comes into effect where they will likely realize that it does not make sense to enforce some of the things they have built into the GDPR in the manner originally anticipated…
And yes, you are right… I am def in a different boat than you are!!!
Everyone was so worried here in Canada when our CANSPAM act came into affect (about 3 years ago now) requiring consent etc… for marketing purposes etc… and the potential fines that a company could wind up with from that… However, there have been so little in fines levied against any company since it came into affect that it was basically a big todo about nothing,.. Likely going to wind up being a similar thing with GDPR – although it is much further reaching for sure that our CANSPAM act was/is…
Brad – again, I hear you, but I’m going to venture a guess that you don’t own a company, much less a database company. Things are different when you’re the provider, rather than the provided-for.
I sure hope you’re right, but I’m not about to gamble my employees’ homes on it.
Yup, I understand your stance for sure… I am sure I would do the same thing if I was in your shoes…
PS… love all the work you guys do by the way… Lots of great content…
Thanks, glad you enjoy it!
GDPR: a solution looking for a problem. I’m all for treating customers and their data with respect. Not so much for backwards, cynical socialist government bodies. I sincerely wish a few Fortune 50 businesses/orgs (including Alphabet) would threaten to cease all business with EU customers and erase data of existing EU customers. It just might not take too long for the EU to scrap or seriously overhaul the GDPR. (Threat of) €20M fines is inexcusable avarice.
€20million is steep enough to make companies pay attention and not pay lip service. It stops cynical policies such as the vehicle manufacturer calculating that the cost of being sued for death & injury was less than the cost of substandard parts.
There’s going to be teething problems but for data people it’s making good data husbandry practices a must have rather than something to be descoped in favour of some shiny ball
What about people like me? I am an independent creator who makes art for a hobby. I make like less than 100 bucks a year and am really not savvy enough to know what’s getting collected by my web host, or when someone sends me an email from the EU. If someone fines me that amount, I’ll be dead. I’ll have to jump off a bridge and hope I can escape my mortal coil. That’s more money than I will ever have in my entire life. I don’t even WANT EU citizens to come to my website. But what can I do about it? I just have this art hobby for fun, then someone from Germany or whatever stumbles upon it and my web host grabs their IP address and I can’t delete it. Or they send me an email through my form to tell me “Hey I like your stuff!” and I don’t know they’re from the EU. And I don’t keep that email around or whatever…then what? I go bankrupt because someone has it out for small time creators? Cool I guess? Guess I gotta take down my website? This nonsense will kill people like me.
Any chance we can get some information from the DBA perspective? The trials of running a small business are interesting, and I have every sympathy, but I’m not doing that.
Richard – well, think through that for a second.
Who are you asking that question to? Does it sound like we’re doing the task that you want advice on?
Yar ok, just you’ve become my first call for DBA stuff.
Woohoo! Good to hear that. I wouldn’t wanna give you SQL Server DBA advice on how to tackle the GDPR though, since we’re not doing that on the SQL Server front ourselves. (I would feel like such a sham faker if I was doing that, and it’s sad because I see folks out there doing it – giving DBA GDPR advice when they’re neither DBAs nor personally preparing SQL Servers for GDPR.)
Nothing to do with GDPR Brent, but whats the best was of removing a record from a ubiquitous CRM system please (backed by 2008r2)? The only built in option seems to be setting a flag to show dead records, but that’s not good enough for er me.
Richard – for answers to unrelated questions, head over to https://dba.stackexchange.com. As you pose the question, read Jon Skeet’s excellent checklist on how to write a good, answerable question: https://codeblog.jonskeet.uk/2012/11/24/stack-overflow-question-checklist/ Hope that helps!
[…] of this, some are considering if it wouldn’t be wiser to simply not service EU visitors instead. Establishing geoblocking through a CDN, such as Cloudflare, or using firewalls is an […]
A few remarks:
A backup is a tool for business continuity, not for archive. Your backup should support your recovery point objective. A backup window is normally short enough (4-5weeks) that is totally proportional and will be accepted to comply for the right to be forgotten. If you store data long term in a backup system, your design is wrong. You need an archive system.
Then if you provide paid service to an individual, you keep the data relevant to the proof of service for as long as your local law requires it, often 7-10 years, and you don’t have to delete it. No need to worry about that. Just scope what is needed and script the purge of the rest (like a mobile phone number, you would not need that to prove you fulfilled a contract) and that’s it.
Francois – the problem is that many third party partners like GoToWebinar give me backups that go beyond my RPO, and don’t allow me to delete them, and don’t allow me to even delete current data in a way that I can’t get it back.
It’s easy for you to say, “just change all the partners you do business with,” but read the post again – it’s simply not worth me doing that for 5% of my revenue.
I respect that, and I don’t blame you, believe me. You made a business decision based on a cost revenue analysis, it’s the basics, no one should blame you on that.
But on the other hand, as a European citizen, and while it’s sad to lose access to quality trainings, if you’re not able to control your own dataset, well maybe it’s good that I can’t give you my info 🙂
Francois – again, I can’t control the dataset when students email me things I didn’t ask for and don’t want. Seems some folks have a real problem with instructions and reading comprehension. No sense in me risking my business for folks who can’t read. 😉
[…] Online (online game), Super Monday Night Combat (online game), Unroll (email subscription service), Brent Ozar Unlimited (software supplier), Tungle (gaming software provider), and Drawbridge (cross-device identity […]
[…] Online (online game), Super Monday Night Combat (online game), Unroll (email subscription service), Brent Ozar Unlimited (software supplier), Tungle (gaming software provider), and Drawbridge (cross-device identity […]
[…] Online (online game), Super Monday Night Combat (online game), Unroll (email subscription service), Brent Ozar Unlimited (software supplier), Tungle (gaming software provider), and Drawbridge (cross-device identity […]
[…] Unroll.me n’est néanmoins pas le seul acteur à tenter d’échapper au nouveau règlement européen. Pour certains, la date du 25 mai est même devenue une excellente excuse pour signer la fin de vie de projets ou de services qui étaient maintenus en vie de manière artificielle depuis bien longtemps (on peut ainsi citer Microsoft Connect) ou qui cesseront de proposer leurs services et prestations aux clients européens (c’est notamment le cas du cabinet de formation Brent Ozar.) […]
Looks like you have huge problems with you dataprivacy! (if you this afraid of normal good data privacy methods)
This is huge tell-tell to all global users that you site is not secure and you are not reliable to handle any personal data.
You statement is clear – WE ARE NOT SECURE
And looks like you can’t read the post. Later.
Oh… a EU brown-noser! Just like Brent said, you haven’t read the post.
We US citizens are concerned about privacy on and offline. No doubt. We have many nonprofit orgs in the US to help that. EFF. ACLU. Etc. Not a conglomerate of unelected officials without an inkling of international treaty law.
We US citizens don’t want a half-baked law from a foreign government without a treaty in place, signed by the EU president Jean-Claude Juncker and US President Donald J. Trump before the EU can legally prosecute US citizens over GDPR/Article 13. There is not.
Therefore, a GDPR fanboi shouldn’t be saying stuff like this. I hate the GDPR. It’s a badly thought out law that would, if a bill was introduced in the Senate or House exactly like GDPR, would fail in committee, and wouldn’t go to the floor for a vote. The EU has no such checks and balances in place. This is why US (and some EU) citizens are protesting against this.
The European Union is slowly turning into the Fourth Reich. It’ll be WW3 before we know it… /s
(Can’t edit my comment… so addendum below.)
So… “GDPR persoon from EU”… let me clue you in to Amendment 11 of the US Constitution:
“The Judicial power of the United States shall not be construed to extend to any suit in law or equity, commenced or prosecuted against one of the United States by Citizens of another State, or by Citizens or Subjects of any Foreign State.”
That’s our law. We are not subject to Juncker’s edicts. Does Juncker and Trump have a treaty signed to permit the EU to prosecute US citizens, who are natural US citizens, have no allegiance or citizenship whatsoever to the EU (like me, I’m a US citizen since 1977… since I was born)? If so, where is the proof? If not, please.
IANAL… I Am Not A Lawyer. I am, however, an Technician Class amateur radio operator, call sign KI5AUE, but I have a vanity call sign application pending… it will appear on the FCC ULS page if you search my call sign, and, yes it does have a ton of PII. To you EU people, the amount of info the FCC has on my license, which is all public info for any licensed ham on the FCC ULS, will shock you. But it’s okay with us. In fact, it’s useful. We know how to handle that info confidently if necessary. (e.g., name and address to send a QSL card)
Overreach is not a solution. You’re in favor of a law that hurts people who run websites for fun (like me) or for their livelihood, and not limiting yourselves to your own jurisdiction.
I’m through with this. GDPR sucks. I hope this law dies a fiery death.
73, and Brent, love your site,
[…] Unroll.me is nevertheless not the only player trying to escape the new European regulation. For some, the May 25 date has even become a great excuse to sign the end of life of projects or services that have been artificially maintained for a long time (we can mention Microsoft Connect) or who will stop offering their services. services and services to European customers (this is particularly the case of the Brent Ozar training firm.) […]
[…] (online játék), Unroll (emailes hírlevelekr?l való leiratkozást segít? szolgáltatás), Brent Ozar Unlimited (szoftverbeszállító), Tungle (játékszoftvereket kínál), and Drawbridge (eszközök közötti […]
[…] (online játék), Unroll (emailes hírlevelekr?l való leiratkozást segít? szolgáltatás), Brent Ozar Unlimited (szoftverbeszállító), Tungle (játékszoftvereket kínál), and Drawbridge (eszközök közötti […]
[…] Outside of the blockchain space, multiple companies have ceased offering their services to EU based customers, citing the overbearing GDPR as the key cause. Key companies include MMORPG Ragnorak Online, mobile marketing platform Verve and consultancy firm Brent Ozar. […]
A Business question please Brent, if I may. I should share my (GDPR) code, leave out a bit, or keep it to myself? (With me only having one string on my guitar IE not having another income stream).
I don’t think I understand the question. I’m not sure what you mean by GDPR code?
Ah sorry yes, I wrote a quick data hashing proc. Its probably lame.
Sure, write a blog post – those are great for learning exercises for folks who want to learn how to do that kind of thing. Even if you don’t like it, it’s probably interesting to someone!
GDPR is a big stupidity. It is almost impossible to be compliant, and compliance costs are very high, in terms of money, time, headache and business loss. Many small companies and also private owned websites cannot support millions euro fines and will choose to close. Also, the internet advertising market will be hitted hard, and as a consequence, a lot of sites that depend on this business model will close, this mean that a lot of free online stuff and facilities will dissapear. It is perfectly understable in this light why a lot of companies and websites will ban european users, as they cannot be forced to implement GDPR, this dumb regulation that kill the internet. Europe, take your pills!
It’s pure and utter madness. Nobody wants this, except some bloodthirsty unelected government officials. I still don’t see how the already overstretched EU government will have time and resources to enforce this insanity on 1 billion website owners.
Hah, maybe time to hoover up best advise into a book, and borrow Brent’s old chest wig hah
Forgive me if this is redundant. I tried to read through all the comments before posting but there were quite a few. How are you handling excluding EU citizens that do not reside in the EU? As I understand it (my understanding my be wrong), the law protects all citizens regardless of their location.
Lj – if you’re on US soil, using a US credit card with a US billing address, and you’re an EU citizen, then you would want to contact your government or attorney to see what your rights would be. I wouldn’t want you taking legal advice from me, of course. Thanks!
Can you explain the math in your post? You said that 5% of your revenue comes from EU, and the maximum fine for non-compliance is 4% of the revenue. So even if you do nothing, don’t comply at all, and pay the maximum possible fine, you would still get 1% extra revenue. What’s the problem?
Chip – read it again. It’s up to €20M or 4% of your company’s annual worldwide revenue, whichever is HIGHER, not lower.
The problem is your reading comprehension. 😉
I forsee whenever you login somewhere on the internet, an email will immediately appear in your inbox. Requesting you accept gdpr t’s & c’s or instantly be forgotten.
Much regulation in the EU is designed to do the exact opposite of what is publicly claimed and typical defenders easily make my blood boil (I hate stupidity).
* GDPR will protect you from companies using your data in ways you do not like.
What really happens, a few large companies will remain as the smaller companies that were not even causing problems are killed off trough the burdens of over-regulation, with risks of draconian punishments.
The next step is that those fewer, now more powerful large companies will take control of the political process. Hey, now we have just set back the clock a full century and ensured the high-end part of society is not impeded by such frivolous concepts as privacy rights for the ordinary citizen.
Next: EU’s Copyright Reform Proposal “Article 13”
Here “links to news/media” and “uploads of media” are to be monitored and taxed in the name of copyright protection and to combat “fake” news.
In actuality, it will make any sort of reference (and your basic website link), a bureaucratic nightmare to deal with. Its essentially unenforceable without automatically monitoring and fencing off everything, China style. But that never stopped regulators before and I suspect its what they actually want but cannot sell as such to the larger public.
Imagine a world without free internet and few sites to visit. Those that you visit, can cost an awful lot of money as they are essentially monopolists on a certain topic. Then what you see will be often designed to influence you and deliver paid for / state sanctioned information. Your brain shrinks to the size of that of a monkey.
The EU is run by globalists that care for no-one but their own little elite club, the internet and everything going on there is a threat to their established power. Expect more far reaching laws from the EU that essentially converts the EU into a modernized version of the USSR.
I applaud companies that say, screw this, let the people in the EU feel the pain of what these plans will turn into before its to late to revolt against it. You are doing the people of the EU a service in your own little way!
Aliens! I blame Aliens. Crop Circles and now …GDPR!
I geo-blocked the EU on my website alexatilbrook[dot]org with a WordPress plugin… found a list of EU member country ISO-3166-2 ccTLDs on GitHub (through Google) and I sleep better at night.
Anywho… this GDPR is a nightmare. This is overreaching and makes the EU an Internet cop now. It’s either comply with this draconian law or geo-block.
I can’t afford whatever fines the EU wants to levy on me in case I get a GDPR violation on my site. It’s much cheaper to geo-block with a WordPress plugin. (US$25 billion fine vs free WordPress plugin… you get the idea). I’m paying for my website 100% out of pocket, and so are you Brent Ozar… and while I don’t sell anything on my site (I offer a customized Ubuntu distro for download… but I don’t sell physical DVDs or USB sticks), so I agree…
Geoblocking the entire EU is better. Until the EU can get their heads out of the sand, I can’t face the penalties the EU might impose on a USA citizen. This is wrong. I have no EU citizenship, I was born in Pensacola, FL… and last time I checked, that’s in the USA.
Thanks for letting me get this off on your comment… and have a great day!
73, Alexa KI5AUE
I would like to thank the morons in the European Parliament for implementing this regulation, especially their fantastic knowledge of what the concept of “global” means, how stuff online differs from offline, that not everything is on paper, and hence limiting me, as a EU citizen, from choosing who I do business with. It’s like most of what the EU does, there’s a grain of a good point in the bottom of it all, but then they cover it up with beaurocracy and crap to the point where it’s just FUBAR. 🙁
I’ll be checking back here regularly to see if you’ve come up with a good way of handling it so that even we across the pond can take part of your buffet of goodies.
I also wanted to buy the Recorded Class Season Pass, with all the taxes, but i receive an error because of GDPR. I’m from Romania (East Europe), and I don’t care about GDPR, and really want to be able to watch the recorded sessions.
I know all the crazyness with the GDPR – we are all in the same cloud, here in EU, cause each country understood in it’s way how to implement this. Here in Romania, all the companies are sending customers a document to sign that are agree for their data to be held by the company, and whenever they want their data to be deleted, they will delete it. That’s all. This solves this issue…
Please, find a way also for us in the EU…You have also in EU big fans, interested to learn..
If you read the GDPR, that definitely does not alone solve the issue. Good luck though.
First of all great Black Friday offers and I was going to subscribe. Unfortunately I face the message this order cann’t be processed due to the high costs of complying with GPDR and VAT Laws for EU customers!?!! You’re kidding this this can not be true. I read this post which makes some bit clear but I am very dissapointed. Is there no other way or I can not order certain items as an EU customer?
Frank – yep, that’s what the post is about. I was pretty disappointed in the GDPR, too. It’s really frustrating as a small business – there’s just way too much risk in there for me.
and with article 13 coming… internet is turning into shit thanks to EU…
Me too. I have found this site incredibly useful and really wanted the Recorded Class pass. Very disappointed that we can’t access it in the EU.
Maybe after Brexit the GDPR rules will change for us!
Thanks for everything and keep up the good work.
Next you will have to stop selling in California too. https://www.bankinfosecurity.com/californias-new-privacy-law-its-almost-gdpr-in-us-a-11149. Good luck. Seriously, you have capacity to optimize a billion row query to perform sub-second operations on a Pentium V but you can’t put in place a system with a few check boxes to sell to countries and states that want to protect their citizens/residents from companies exploiting their personal data!
Telmo – the proposed California law only pertains to companies that make over $25M/year, handle 50K Californians’ personal data, or get 50% of their revenue from selling personal data of Californians. I’m certainly excited for the day when we make $25M/year, but we’re not there yet.
(And I only WISH the EU’s GDPR had been written as fairly as the California law – that one’s so much easier to comply with.)
so, my subscription ran out and I cannot renew. This is extremely frustrating. Brexit (which I don’t want) doesn’t save me either. ?
Would it be possible to not send Black Friday offers to mail addresses in EU TLD’s, like mine? And have you looked into partnering a EU-based streaming company that could act as a reseller, taking over all the GDPR hassle? (I couldn’t find this in the answers, but then, my SELECTs don’t always work 🙂
Great question – we’re looking at ways to do that for next year, but our email provider (Mailchimp) doesn’t have a way to do that right now.
Any changes on it? We are in GDPR and word didn’t end… It’s so frustrating not to be able to buy a course. By the way, isn’t that falling under some antidiscrimination law?
Kate – no, I resolved to not revisit it for the first year. (And no, there’s no anti-discrimination law – if there were, it would have surely stopped the EU from implementing a law like this that discriminates against innocent sysadmins, ha ha ho ho.)
Are you serious? This has nothing to do with discrimination. Any competent federal judge or Supreme Court justice would scoff if the EU tried to force businesses to sell to citizens of EU member nations *and* be GDPR compliant. Nations do this all the time : they impose sanctions to penalize other nations for their policies/actions (e.g. human rights abuses/violations). Nations will even ban their citizens/businesses from doing trade with certain other nations. From what I understand, Brent Ozar’s decision to stop selling to EU customers was not intended to penalize the EU (or citizens of member nations), but simply looking out for his business interests (mitigate legal liability and eliminate hassle of being GDPR compliant).
Perhaps your best bet is to submit a complaint to your MEP regarding the excessive allowable fines and requirements of the GDPR.
Thinking that you have good reason to discriminate someone doesn’t make it less discriminatory. Someone else doing it doesn’t make it less discriminatory either and it is really crappy excuse to do something wrong… Sadly neither matter in this case. As much GDPR is a pain to implement, it has right reasons behind it and we just need to wait for the rest of the word to catch up on it 😛
Sure, we’ll be right behind you. Go ahead and finish up that nice job on Brexit first. We’ll be keeping an eye on you. Good luck!
oj, I’m not pointing fingers on your recent choice of president… as for Brexit, there is still hope…
Kate: although the reasons for the GDPR have their merit, the way it has been implemented is an abomination. And I can go on for quite some time about Brexit, POTUS and GDPR… but I have a more important question for Brent: If someone from within the EU were to draw up a business plan to act as reseller for your online courses, would you be interested?
Gerald – no, not at this time, but thanks!
My life is over…
Are you still not selling to EU companies? I get not doing consumers as it’s a hassle but GDPR doesn’t apply to companies. I saw the comment from Black Friday last year saying you were going to look into it for this year.
Steve – correct, everything in the post still applies. I’d love to tackle it as a project at some point, but it’s a relatively expensive project for me, and it’s not worth it for the 5% of our revenue – I could spend that same effort & money on other projects for our 95% base. Sorry about that!
We have a USA arm I could register and pay this through, but it would be 2 EU citizens attending. That ok?
No. Thanks for understanding.
Should be able to access the site through a US VPN to get around the GDPR bullshit.
Good luck finding a VPN credit/debit card
So in the end, about the Black Friday offers 2020(specifically Level 1 Bundle) – what can I get being an EU citizen and what will not be in the Bundle based on the GDPR legislation?
Thanks for the reply
We have no plans to sell to the EU at this time, as I wrote in the post.
Brent, any chance you might reconsider this, please?
I’d wager there’s far more than 5% of EU folks 3 years down the road that want to pay you + there’re numerous e-commerce platforms out there these days that are GDPR-compliant with little to no added effort needed from merchant’s side.
No, as I wrote in the updates at the bottom of the post. Thanks!
Thanks for all you’ve done so far and I look forward to your return to the EU\UK marketplace.
I’m not sure what ‘Brexit’ – as you mention – has to do with the EUs new draconian Cross-border VAT e-commerce regulations. This bureaucratic move was in the planning by Brussels already three years ago. It has nothing to do with the UK leaving the EU but everything to do with the constant socialist tax obsession that the EU has and also affect other EU countries. In fact, it’s all these draconian rules that made Britain want to leave the EU in the first place. Trading with the UK should therefore not be a major issue since EU rules no longer apply, and if I recall they are now removing the GDPR requirement.