The GDPR may be a pain in the ass to properly implement, and certain parts of it are a bureaucrats wet dream, but it sets the right incentives. If you read the general rules, it’s just common sense: Only keep what you need, take as many steps to secure data as you can, tell users proactively what you like to do with it, ask for their consent, and delete whenever they request it.
It all sounds like lots of additional IT work, and it is (I spend a lot of time in our company to try and improve). But it only seems like a hassle because we went for so long without doing it right.
There must be a way to let human dignity be the lowest common denominator for shareholder value…
I like this description of having major problems with GDPR as usually either being because you actually are abusing people's data, or because you've run up a huge pile of technical debt related to data handling: https://reddragdiva.dreamwidth.org/606812.html
No, one cannot just comply with the "general rules" of GDPR, you have to comply with every last letter of the considerable legal legislation. The fact that the rules can be generalised to a reasonable few paragraphs is meaningless.
That’s just not true. I’ve consulted with a few privacy legal agencies and spent a lot of time evaluating the law. Some sections are even worded in a way to allow wiggling room for prosecutors, or require good will on your part. What would even be supposed to happen if you weren’t „compliant“? In the end it’s always about specific kinds of misconduct, and that means fines. The amount of a fine depends on the severity of the misconduct. The GDPR isn’t different at all from other laws in that regard.
If you’re found to be in breach of the GDPR, the severity of the breach as well as the amount of negligence or malevolence on your part is taken under consideration to decide on the fine. The prosecuting attorney also doesn’t have to actually fine you if it’s clear you put in effort and acted in good will.
For a concrete example, a startup usually isn’t required to provide a fully fledged data deletion policy, but if you cannot roughly outline how you intend to handle people’s requests to delete their data, that doesn’t look good. If you don’t even have some sort of privacy policy on your website, that looks worse.
Nobody can implement the GDPR 100%. But you can try to handle data responsibly, and if someone discovers you don’t and you try your best to fix the error (which is on your part, mind you), nothing draconian is going to happen.
And we’re still talking about basic respect towards your users or customers here, it’s not like someone asks something ridiculous of you.
Perhaps regulators in diferent countries take different attitudes; in the UK, it's very soft-touch. Only the most egregious, repeated flouting of the regs attracts a penalty.
As far as I can see, the Irish regulator is even softer; you could be mistaken for thinking that the Irish regulator's job is to make sure that US tech companies don't move their server sheds away from Ireland.
It all sounds like lots of additional IT work, and it is (I spend a lot of time in our company to try and improve). But it only seems like a hassle because we went for so long without doing it right.
There must be a way to let human dignity be the lowest common denominator for shareholder value…