GDPR: the good, the bad and the struggling

What’s the thing with the GDPR? Here’s the situation in a single tweet:

(Of course, that’s utter nonsense. The Nigerian Prince will be fine with you sending him consent in June, July or 2020 or whenever.) But why this sudden hubbub about the acronym GDPR, which causes all those spam-like messages asking you to click somewhere to receive more spam-like messages in the near future?

Say Hi to the General Data Protection Regulation of the European Union, which is in place since quite some time but starts to become enforceable on May 25. In a nutshell, what’s regulated is how corporates have to deal with personal data in our digital world. It’s still a bit rough and undefined on the edges, which leads to messages like this:

Screen Shot 2018-05-11 at 17.01.02 Yes, everyone is a bit late in the game (due to lack of clear specifications), some lawyers and consultants are making a killing, some tech and product teams loose sleep and weight.

The weirdest approach I’ve seen so far is this,, presented by all means by a German company.

Screen Shot 2018-05-11 at 17.08.19

How does it work? Simply paste our JavaScript snippet into your website’s code. We’ll check every visitor of your site and will block access to users located within the EU. 

Uhm, Ok. Sounds legit. As long as their JavaScript can verify the citizenship of an anonymous Internet user. I’m honestly still unsure if this is a totally bonkers snake oil scam or just very nerdy satire.

What’s the real life impact of the GDPR? For users, it mostly means that your data might become a little bit more safeguarded. Less sloppy sharing of unprotected Excels with medical information. Less handovers of personal information from A to B to Cambridge Analytica. Your data will still be floating around like crazy. But the crazy will become a little bit more contained.

And what’s the impact on business? If you listen to some startup gnomes, the world of European innovation is coming to an end. How can I build the next Facebook, they ask, when the EU puts out a privacy regulation, which doesn’t end with “and if you don’t listen to the regulator, you won’t get any free avocado toast for lunch for the next 14 days”? Instead, some bad hombres in Brussels came up with the following maximum penalty:

Up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issued for infringements of …

That’s quite a statement. Applied to Facebook’s 2017 revenue of 40 Billion USD, the maximum fine would be a staggering 1.6 Billion USD. Which explains why a) FB moved their non-EU international user base out of Dublin and b) why there won’t be a European Facebook-clone replacing Facebook: the Zuckerberg-machine is munching through personal data like a 1978 supersonic Concorde is guzzling kerosine and has a history of approaching privacy with quite some laissez faire-bravado. Taking on this juggernaut by playing even more loose with user data has never been that winning an option. Now it’s completely off limits for European Entrepreneurs.

But does this mean the GDPR will really kill Europe’s still nascient digital business world? Actually, to the contrary. Think about it: if you run an international business, do you really want to exclude the citizens of the second largest economy (after China) from your potential market? Most likely not.

With a GDP of 19.9 Trillion USD, the EU pulls quite a bit of weight. But if all others, with a combined GDP of 127 trillion USD will continue to play loose, will Europe not become a digital pipsqueak, hopelessly left behind, while rainbow coloured unicorns start grazing all over the globe?

Actually to the contrary. Nassim Nicholas Taleb explains the mechanism quite nicely in his essay The Most Intolerant Wins: The Dictatorship of the Small Minority.

A Kosher (or halal) eater will never eat nonkosher (or nonhalal) food , but a nonkosher eater isn’t banned from eating kosher.


Someone with a peanut allergy will not eat products that touch peanuts but a person without such allergy can eat items without peanut traces in them.

That’s the whole secret. And it has major implications.

Now consider this manifestation of the dictatorship of the minority. In the United Kingdom, where the (practicing) Muslim population is only three to four percent, a very high number of the meat we find is halal. Close to seventy percent of lamb imports from New Zealand are halal.

The same applies to the GDPR. Don’t forget: in an international business, regulatory compliance is already quite a tricky beast. And if you start out with the lax American standards, some things won’t even be OK in next-door Canada. But if you design for compliance with the most demanding environment, you’ll be quite fine, out of the box, pretty much all over the world.

You may call this approach Europe First. But instead of a coal-fired America First, it’s actually an open source protocol. Everybody can use it anywhere for free, no strings or localities attached. You don’t have to be in Europe to be GDPR-compliant. Your user data doesn’t have to be in Europe to be GDPR-compliant. Not even your users have to be in Europe. But if they are, you better be prepared.

View at