My problem with the GDPR is the EU can't even be bothered to tell us what it is before the effective date. And the GDPR itself is quite vague; lots of balancing tests and blah blah with very little guidelines on what those mean in practice. So where do the guidelines come from? Funny you should ask.
Consider the ICO -- the UK privacy commission -- has been promising final GDPR guidance for perhaps half a year now, and instead are sitting around with their thumbs up their asses waiting on the Article 29 Working Party final guidance. The Article 29 Working Group held comments open until 23 January 2018. Some unknown amount of time later, that working group will finalize, and then some unknown amount of time later, the ICO will issue their guidance.
But don't you worry, the ICO plans to offer no grace period to us!
How the hell organizations are supposed to be ready by 25 May when they may receive final guidance in late February is a hell of a question. Realistically, considering the ICOs adherence to deadlines so far, they're gonna deliver their final guidance promptly for May 2019.
I'm essentially assuming users will be hit with a blizzard of opt-in dialogues.
One of the few things in the GDPR that will have impact is if you use consent as a legal basis for processing, everything has to be default opt-out.
While I largely agree with you, for the most part enough guidance has been available that many companies have been preparing to handle GDPR. They should have done a far, far better job with this but it's not entirely a "We won't know anything until late Feb" kind of thing.
That's true, however, there's no fixed limit to the possible distance between draft and final guidance.
Say you have a large marketing database and you're trying to figure out the nuances of consent. Or you are a large bank and run on a fidgety mix of consent and legitimate interests. Three months is nowhere near enough time to get everything finished.
To be fair, it isn't really ICO's fault - the government has never wanted the ICO to be really effective, judging by the UK laws the ICO was given to work with, and the laughably tiny fines they can impose. Wouldn't surprise me if they're underfunded and stuck in the Brexit mess, never mind that the GDPR will come into effect soon.
Consider the ICO -- the UK privacy commission -- has been promising final GDPR guidance for perhaps half a year now, and instead are sitting around with their thumbs up their asses waiting on the Article 29 Working Party final guidance. The Article 29 Working Group held comments open until 23 January 2018. Some unknown amount of time later, that working group will finalize, and then some unknown amount of time later, the ICO will issue their guidance.
But don't you worry, the ICO plans to offer no grace period to us!
How the hell organizations are supposed to be ready by 25 May when they may receive final guidance in late February is a hell of a question. Realistically, considering the ICOs adherence to deadlines so far, they're gonna deliver their final guidance promptly for May 2019.
I'm essentially assuming users will be hit with a blizzard of opt-in dialogues.
One of the few things in the GDPR that will have impact is if you use consent as a legal basis for processing, everything has to be default opt-out.