GDPR as Barrier to Market Entry?

Tim Cook's embrace of the EU's General Data Protection Regulation (GDPR) is a major development. All of us in infosec need to pay attention.

But Cook's privacy vision challenges organizations, large and small: How in practice does any organization actually comply with GDPR's vague standards? GDPR's principles are easy to express in a speech on stage. But they are difficult to understand and apply in diverse organizations on a day-to-day basis.

A substantial step any organization can take is to appoint a chief data protection officer (or something like that). But the appointment and genuine support of a DPO entails a great deal of work by policy and legal professionals.

What Cook does not acknowledge is that it is relatively easy for trillion dollar company (Apple) to throw armies of lawyers and policy wonks at the task of privacy "compliance."  But it is much more difficult for smaller and start-up organizations.

Vague privacy standards can become a barrier to entry into the market. If small organizations lack the bureaucratic resources to debate and evaluate privacy day-in and day-out, then large corporations have a new competitive advantage. When Apple started in garage it could not afford a team of wonks and lawyers to evaluate and document privacy compliance. Apple is different today.

I do not question Tim Cook's sincerity or good faith.