[lmkg]

I presume you're talking about things like informing users how their data might be used, storing user data securely, and not selling it to third parties. That sort of stuff is relatively easy.

The GDPR imposes some new requirements that were not previously part of any privacy best-practices that I'm aware of, and that create some system complexity. Chief among these is the right for users to retract consent after it has previously been granted. This effectively requires processors to be able to delete individuals' data from their records, something that was not a design requirement of many systems. This becomes increasingly more difficult as user data has often been aggregated, and joined with other data sources.

Another key differentiation of the GDPR compared to previous legislation is that it applies not only to data that identifies a person (such as by containing a name or social), but to data that could in theory be linked back to the user through a common identifier. Previous best practices have considered the user's privacy protected if they were identified through a hashed email or an opaque database identifier, but the GDPR does not consider this sufficient anymore.

[ryandrake]

Thanks for the details! I can see how this could get costly for complex systems. As a user though I would think all those things you listed would be existing privacy best practices but I guess that’s being way too optimistic. Scary what companies are currently getting away with, too but not surprising.

[kelnos]

I think you're right in that those things would be (or should be) considered "privacy best practices", but, unfortunately, most companies don't have "following privacy best practices" all that high on their list of priorities.

It's not even malicious; in the absence of regulation to the contrary, companies -- especially companies still in search of a revenue model -- have an incentive to collect as much information as possible.