On 5/24/18 4:21 PM, Anne P. Mitchell Esq. wrote:
Actually, GDPR specifically requires processors to include statements of compliance right in their contracts; we also strongly recommend that controllers insist on indemnification clauses in their contracts with processors, because if the processor screws up and there is a breach, the_controller_ can also be held liable, and the financial penalties in GDPR are very stiff.
Good luck getting multiple millions worth of fines out of small businesses that never even touch a million a year in revenue, let alone the added expenses of trying to do all the crap GDPR thinks everyone can suddenly afford out of nowhere.
~Seth
