The GDPR is most of my job right now, and I have a relevant background. To say that the cost of reading the document is two days clearly shows that you have very little idea of what the law means. I've been arguing with other privacy professionals about the details of this law and how to implement it likely for longer than you've known about it, and on a number of those questions there is still no consensus.
This is an incredibly expensive regulation to comply for most small and medium companies not because they're doing villainous things with the data, but because learning this law and then documenting your compliance for this law is ridiculously expensive for many types of businesses.
Your comment came off a bit combative against me vs. the idea I'm trying to argue. Perhaps I didn't make my point very well.
Lets swap GDPR for PCI compliance, which has a new standard (or fully implemented standard, if you may) coming soon. PCI deals with credit card information.
My relevant background allows me to make a few assumptions:
1. If you are in the US.
2. AND you have visited a Quick Service restaurant in the last five years (think Subways, Chipotle, etc.)
3. AND they use one of the major POS (point of sale) providers.
That your credit card, name, expiration date, and CVV is in plain text.
You may know the GPDR very well, as it is your job and you are most likely very qualified for it. And yes, there are probably lots of nuances to this law. However, thats every single law there is, every standard, guidelines, etc.
I'm not entitled. I am, however, a realist that understands that you just have to comply. Taking two days to read the 88 page PDF will make you more familiar then most. It might not make you an expert but for a small to medium sized business, it would give you the necessary tools to comply with majority of the law.
Quite frankly, I don't have a bunch of lawyers and I do have to implement GDPR. Will there be an official review? YES. There will be folks who know more then I and are professionals to double check my work. But I can't tell my stakeholders "Sorry, We can't do that because its just too tough". That seems entitled...
Remember that this is EU, not USA where anyone can sue you for anything. If you feel a company is not complying with the law you can complain to your national agency who will follow it up. If the company don't comply after getting a warning the agency can bring the case to court and the company get on trial
The problem with selective enforcement is you may be treated nicely until e.g. your founder takes a political view a European politician disagrees with.
The GDPR is most of my job right now, and I have a relevant background. To say that the cost of reading the document is two days clearly shows that you have very little idea of what the law means. I've been arguing with other privacy professionals about the details of this law and how to implement it likely for longer than you've known about it, and on a number of those questions there is still no consensus.
This is an incredibly expensive regulation to comply for most small and medium companies not because they're doing villainous things with the data, but because learning this law and then documenting your compliance for this law is ridiculously expensive for many types of businesses.