GDPR protects individuals 'natural persons' and not businesses 'legal persons'
Recital 14 - The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data. This Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person.
At least in German juristiction there is the viewpoint that a law should also be applicable to a legal person if it indirectly affects a natural person behind it (so-called "Durchgriffstheorie"). In other words, the GDPR applies when it comes to protecting the natural persons behind the legal person, including their economic existence.
"The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data."
Article 3(1) of GDPR
"This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not."
Recital 14 of GDPR
"The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data."
You can decide not to allow EU citizens to use your service. However, the EU has a population of 508 million citizens. It's the largest population in the world after China and India. GDPR is a genuine attempt to balance the rights of data subjects against ever advancing technology. You'd be excluding yourself from one of the world's largest markets on the basis that you don't want to protect your customer's rights.
Subject access requests have existed for twenty years in the UK. The Information Commissioner's Office provides free guides on how to request data. Most people aren't aware of their right to do this. Organisations can charge under the current legislation but often don't.
A lot of organisations forget to discuss the scope of a subject access request. If you imagine an employee at an average company, an undefined subject access request can include months or years of pension contributions, internet and email logs, training records, meal choices for their end of year party... if their issue is a recent performance review, the scope will often be email chains or HR documentation relating to that. The incentive for them is that they can often have the data they're interested in a short space of time rather than wait longer for pages of data they've got no need in. If you do this, make sure it's a genuine conversation with them and it's documented as to the scope they agreed.
Remember that right to be forgotten isn't an absolute right especially where you're relying on basis other than consent. If you ask your employer to erase all data about you, they'd have an argument under 17.1.a. to argue that it's necessary to keep that information in order to pay you. Nor can you ask the police or tax office to erase your data.
In that instance it's not always the case that SaaS will default to be a processor. GDPR describes a controller as 'which, alone or jointly with others, determines the purposes and means of the processing of personal data;'
Where a SaaS provider steps into more complex analytics or has some freedom in the process, there's an argument that they're joint controllers and bear those responsibilities. The difference between cloud and on- premises is that you're actively processing personal data in SaaS.
In many cases, the processor/controller relationship will be correct. But GDPR is focused on active compliance so it's something which should be actively considered and documented.
I've spent time on the opposite side of the fence as someone who buys and manages enterprise IT solutions.
Process maps even at a high level are a good start to decide where you can add value in the quickest way. But make sure you question the business process and whether it's effective before just implementing technology around it.
In terms of project management, something like the Scaled Agile Framework (SAFE) will work in an enterprise environment if you're from an agile background. Minimum Viable Products work well in enterprises but it's often a huge mindshift for enterprise customers who think they need every feature.
Charging by day rate is your best option. Enterprise IT projects will generally overrun and scopes will increase. If you're charging by day, you're protected from scope creep.
Make sure you've documented what you're doing clearly and you've got a strong contract. If I need to challenge an IT supplier over what's been implemented, and I often do, the contract is the first place I started. A good contract and clear expectations is a positive thing for both parties.
Adidas and Burberry are separate companies. Burberry is registered on the London Stock Exchange. Adidas is based in Germany. The page you're looking at refers to watches manufactured by Fossil under those brand names.
I don't get the market estimate where you include the guests. It seems like you're treating each wedding as an independent event. I'm attending two weddings in the next month. Are you counting instances as the same person at different weddings as the same person?
Otherwise, the presentation looks amazing and it's interesting to see a company be so open about their deck.
Counting each guest-visitation as a separate instance makes sense to me.
On one hand, the hosts will provide certain things for each guest. Invitations, individual decorations, etc. It's not like Rose & Billy can skimp on their flower budget because Marcie & John had nice bouquets at their wedding last month.
On the other hand, each guest will bring their own gift. In case of a themed wedding, they will probably buy something for that specific occasion.
