An item-lending website shut down for good due to its creator’s fears that the General Data Protection Regulation (GDPR) imposes too much “uncertainty and risk.” The shutdown demonstrates many of the security challenges and concerns many small businesses across Europe could face with the implementation and enforcement of GDPR.
In April 2018, Streetlend.com founder Chris Beach decided to shut down the website after five years of operation. He said he made his decision due to GDPR’s creation of “uncertainty and risk that I can’t justify taking.”
“GDPR threatens website owners with fines of 4% of turnover or €20 million (whichever is higher) if they do not jump through a number of ambiguously-defined hoops,” Beach wrote, as quoted in a farewell message posted to Streetlend’s homepage. “The law, combined with parasitic no-win-no-fee legal firms, puts website owners at risk of vindictive reporting. Young websites and non-profits cannot afford legal teams. Therefore the risk posed by GDPR is unacceptably high.”
Streetlend was a service that enabled neighbors and friends to share items like ladders and drills with one another. Users had the option of loaning out their items for a daily rate or letting others borrow their tools for free. The website also worked in affiliation with Amazon by showing ads to users for items they could purchase. When members opened their wallets, Amazon shared a portion of the revenue with the lending service.
Beach kept his day job while managing Streetlend. The site never became profitable, but he made enough to pay the bills and keep the site running. Even so, Beach felt it wasn’t enough to save the site from GDPR, what he describes as one of the latest “poorly-implemented laws that add complexity and unintended side-effects for businesses within the EU.” He went on to say that the Standard hurts small businesses while helping to “reinforce the dominance” of tech giants like Twitter and Google.
Not everyone fully agrees with Beach’s assessment of GDPR, however.
Jan Smets, data security expert at Gemalto, is a certified data protection officer. He spends much of this time now advising small companies on how to handle the requirements of the GDPR, so he knows a thing or two about how SMBs are working towards compliance, including the fact that some SMBs do have a disadvantage when it comes to their size.
“Corporate enterprises have a good understanding of the requirements and the resources to comply, so there’s no lack of understanding there,” he explained. “However, small companies have different pressures and not necessarily a specific individual or team dedicated to IT related tasks, so yes, there is still a lack of understanding. These small businesses have a ‘fight or flee’ approach. Some are too scared to address it, so they freeze in panic. Others see the issue as too complex to deal with, so they leave it.”
Like all other organizations that handle EU citizens’ data, he noted how small businesses should take the fines built into GDPR seriously. But he was careful to point out that businesses should not close down merely because of the threat of those penalties. He said they could effectively manage their compliance with GDPR by doing the following:
- As a business owner, find funds to hire a consultant to get proper advice. For non-profits or businesses that can’t find funds, find a friend that can help get to the minimum threshold.
- Treat customers’ data seriously. Consider the impact of losing the information, then take steps to protect that information against data thieves.
- Get some advice and guidance from some general resources that are available before considering what’s appropriate for them.
- If they have a database, send an email asking their contacts to opt-in. They can’t do this after GDPR takes effect on 25 May.
On a parting note, Smets said that GDPR represents change. Some businesses will work to comply with the requirements and succeed because of it, he explained, while others will fail and suffer the consequences. To make sure they fall into the former group, businesses should make sure they understand the GDPR compliance requirements and take steps to meet them. Gemalto can help get them started. Learn how Gemalto can help businesses identify the key aspects of GDPR and what steps to take to address its requirements.