>because its based on principles rather than hard rules
They tried hard rules, rather than principles with the cookie laws and the companies around the world turned a good idea into a shit-show of popups while continuing to behave like nothing happened.
Honestly the more I read and the more I see how different business react I start to view the GDPR as EU finally showing that will not accept businesses viewing it as a second rate legislator.
The GDPR and reactions to Trumps policies an EU that is finally starting to behave like it's representing the best interest of 500 million people.
95% of my GDPR work has done nothing for actual privacy. If this is how the EU "represents the best interest of 500 million people," then no thank you.
A lot of "GDPR work" I have witnessed recently has been totally useless and frankly I'm still not sure why I understand the tortuous paths some have chosen to follow.
I think a lot of that is down to decisions taken by US-based management that is simply clueless about how law works outside the US. And probably also only got their information from US-based lawyers that were either as clueless as themselves, or had incentives to make everything look very complicated.
On the other hand, most of the companies around me that have no links with the US were not particularily worried, and either consider that they are already compliant, conducted minimal work to be acting in good faith, or at worst are waiting for the regulatory body (CNIL here) to tell them what they are doing wrong, if that is the case.
However, I don't know any company that does shady things with their users' data, and things might be very different for those.
I think you are mistaken - the amount of effort big companies are putting into this certainly already has improved privacy significantly- and its just the beginning!
Can you elaborate please ? And what about the other 5% ?
I mean, if companies cared about privacy in the first place, there probably wouldn't be the need for such a regulation. At the very least, GDPR will get the general population be conscious about what the hell is going on under most websites.
Most of the costs of this (so far -- we'll see how it goes with subject rights; I spent several hours already working on a right to erasure request that was so confusing it will take a number of additional hours just to entangle and document) are learning the regulation (not privacy, but the regulation itself -- very different), doing documentation (the largest cost by far), and holding customers' hands. The last 5% wasn't all that meaningful; a few assorted things, like one of our S3 buckets that was storing encrypted backups of non-sensitive data with no expiration, and it got noticed during GDPR prep. It would have been noticed anyway (probably even before now).
We've also lost customers (including a contract that would have been our second-biggest) because our competitor is either lying or doesn't know anything about the GDPR, and has convinced customers they're compliant. Their story sounds easier than ours; "We're in the EU, so we're compliant" as opposed to "Hey, you need to sign this DPA with us to be compliant."
And no, many companies already did care about privacy. Companies are not faceless villains -- they're made up of people like you, assuming you have a job, and even aside from not wanting the bad publicity of breach or misuse most people want to use data correctly.
They tried hard rules, rather than principles with the cookie laws and the companies around the world turned a good idea into a shit-show of popups while continuing to behave like nothing happened.
Honestly the more I read and the more I see how different business react I start to view the GDPR as EU finally showing that will not accept businesses viewing it as a second rate legislator.
The GDPR and reactions to Trumps policies an EU that is finally starting to behave like it's representing the best interest of 500 million people.