As a top engineer of a EU headquartered company, I can be one instance of saying this was not true of us. We started our preparations almost a year and a half in advance of the March 2018 deadline. Once we engineers and our GC were done interpreting the extent of what we believed we needed to do and the resources to do it, we were basically ordered by the CEO to do as little as possible as late as possible, automate as little as possible, and just wait to see if anything came of it. I left the company a few months after GDPR-day so cannot say how it worked out, but it was the CEO’s company and his choice to do it in a way that it then became my responsibility to implement.
Compliance/legal is a company risk and as I indicated in the challenger article here a few days ago, as an engineer I can advise on hat the risks are and the potential consequences of bad outcomes, as well as the costs to reduce them. The business decides what level of risk to take. I personally would have preferred a robust response to GDPR and thorough internal procedures, but it was not my call to make.
Of course, I personally believe that we humans should own our data and digital footprints, so I agree with a lot of the concepts behind GDPR and CCPA even if I do not agree with all and as an engineer may think some are ... silly/overzealous/misguided or what have you. Case in point: the IP tracking discussion above. If I hit your network, thats on me (barring externalities or bad actors, etc.). Retention periods and use definitions are fine, but a requirement to treat it as PII or other super sensitive data seems a bit much to the engineer in me.
Yes, true. In the end it comes to business decision. My focus on devs is mostly because it's devs who comment and complain on HN, so my comments are mostly geared towards them.
It's true, businesses (or people who run them) will in the end judge the direction where the company will go, and their judgment is often worse that that of developers.
So yes, I would replace "devs" etc. with just "companies" in my comment.
Compliance/legal is a company risk and as I indicated in the challenger article here a few days ago, as an engineer I can advise on hat the risks are and the potential consequences of bad outcomes, as well as the costs to reduce them. The business decides what level of risk to take. I personally would have preferred a robust response to GDPR and thorough internal procedures, but it was not my call to make.
Of course, I personally believe that we humans should own our data and digital footprints, so I agree with a lot of the concepts behind GDPR and CCPA even if I do not agree with all and as an engineer may think some are ... silly/overzealous/misguided or what have you. Case in point: the IP tracking discussion above. If I hit your network, thats on me (barring externalities or bad actors, etc.). Retention periods and use definitions are fine, but a requirement to treat it as PII or other super sensitive data seems a bit much to the engineer in me.