[outsideoflife]

General compliance advice

1) Act in good faith. DPA fines seem to have been to people who had a blatant disregard for data protection and their customers, not those who tried hard but committed some technical breach.

2) Whenever new rules come out there is a long period of interpretation. Unless you are in a very high risk category I wouldn't 'throw the baby out with the bath-water' in the interim.

3) Documentation wins court cases.

4) Personally I was already trying not to have my data stolen, so I am not overly concerned by GDPR. I am updating some policies, employee handbooks and terms. I will watch how other companies deal with it before I act too rashly.

[jacquesm]

The most important bit that you can do that is actionable and that will not be open to interpretation is to have someone competent write a clause into employment contracts regarding data confidentiality, to put in place a protocol on how to deal with various levels of breaches and to review your sites privacy policy to ensure that it is still applicable (this is something you should be doing regularly anyway).

On the whole I think your approach is a very balanced and reasonable one, especially the 'act in good faith' bit. What surprises me is that plenty of companies explicitly do not act in good faith and try to interpret the directive creatively so that they can continue to do what they were already doing without modification. That's asking for trouble in my opinion, some companies in that bracket will find themselves in the un-enviable position of being used to educate the rest.

Especially in adtech and marketing there will be a lot of tension between business goals and the law as written and the finer you want to ride that line the more important it becomes to have competent guidance.