Often times reading here on Hacker News, users are quick to point out in the comments under an article announcing a new site or service how things are "definitely not GDPR compliant," but I anecdotally see no major changes being implemented. If sites and major corporations are so often out of compliance, why hasn't enforcement happened yet?
One thing I noticed (and I've worked with several companies to make them compliant) is that many non-tech companies finally see data as something to pay attention to. GDPR forces them to know what data they collect and store, enabling other initiatives. Those can be to finally improve data quality (as you'd otherwise have to expose invalid data to clients), better customer service (self-service) and data analytics.
I'd say, for the companies I've met the cost they had with GDPR had a pretty good ROI even if there was no enforcement of GDPR. Not all companies see it that way, though.
Enforcement is happening, though unfortunately I don't have an actual source on hand to show you.
Anecdotally, I enjoy being able to finally tell companies to forget me and stop sending me spam. It has actually worked very well for that. I also enjoy being able to report companies blatantly and maliciously infringing on my rights, because it finally makes me feel like maybe I'm not just some cattle to be exploited for someone else's benefit.
Another benefit of having the right to be forgotten is that I (hopefully) won't pop up in so many future data leaks. I've been fortunate so far that nothing serious has ever been leaked about me, and I've insulated myself well from leaking passwords because I use a new random one everywhere. I do however know a few people who have been burned this way and subsequently become the victim of identity theft. Being that the police lacks incentive and ability to do anything about this (I know this from personal experience, I do not live in a third-world country or even one that is moderately poor), the only cure for this problem is prevention. It helps me to sleep better at night knowing this risk has gotten smaller.
Nope, since this is a GmbH, they don't need to publicly disclose their numbers. But I read they have about 4 million members.
I agree on 20k not being very much given the circumstances. However this is the first time that a company had to pay for a thing like unhashed passwords at all. So I guess it's a step in the right direction.
I know we've lost business because of it. We're a US company but a lot of our customers are gigantic multinationals and becoming fully compliant would reveal some IP that would be disasterous if it became public.
How would that happen? Companies don't have to provide all data stored about users if they have valid reasons not to do so. If certain elements could expose IP, this should be a valid reason. And most data can be reformatted to not expose any internal structures.
It's honestly the first case where I heard that and I've been working with companies to become compliant since the start of the year (many still struggle to be fully compliant). Could you elaborate a bit?
You are not obligated to provide the data in the way it has been structured at your company. You are obligated to provide it in a machine-readable format, and that is where the provisions end. It can be any format you want and can contain the information in any way that you like, as long as it's all there.
perhaps there's a score or some other proprietary statistic that is technically user data but is not surfaced to the user. If the score is a function of other pieces of supplied user data then perhaps they're worried about leaking a proprietary formula.
This is starting to sound a bit thin, so I'm not really sure what this guy is talking about.
What I still don't understand is how companies like MaxMind (basically a fraud rating based on IP addresses and some other criteria that is mixed together) or the german Schufa (credit rating) are still able to operate under GDPR. But in general I feel the idea and effect it had is a good thing even though the days before it went live were plain ridiculous.
Some us websites just plain refuse to serve me content just because I'm in Europe.
On the other side, when something goes wrong shooting an email citing possible gdpr infringement is now mostly enough to get an answer by a real human being.
So quite frankly, I see this as an overall positive thing.
Any company in violation will be given the chance to make themselves compliant before fines are levied. The fines were never going to start right away.
I think that currently the serious consequences are the amount of businesses that expended huge amounts of cash and time to getting towards compliance. It has focused every business on the data that they generate and keep. Overall, the main consequence that I see currently, is that almost every business has some idea about GDPR and your data. Surely that is the largest consequence?
I am pretty sure that for the amount of savings most companies can make through removing data retention, working out what data to remove is far, far more costly.
I'd say, for the companies I've met the cost they had with GDPR had a pretty good ROI even if there was no enforcement of GDPR. Not all companies see it that way, though.