[ozim]

I wonder which ones specifically? I am reading into it because I am onto implementing it in our small company.

Everything is as in citation from GDPR:

"Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes ... implement appropriate technical and organisational measures ..."

[Matticus_Rex]

1. Most things fall into this category: Lack of clarity in the law (and a remaining lack of clarity from WP29 and the Commission) about dozens of issues. The Privacy Professional community has been proactive about trying to get info on a lot of these items, but there's just not much coming, and in a few cases what has come out has either departed from what seemed like more obvious meanings or in some cases has muddied the waters further.

2. The essential ban on offering services, downloads, etc. in exchange for consent to use data reduces consumer autonomy and will decrease the availability of free resources.

3. It will be extremely easy to use SARs maliciously, and the law includes NO check whatsoever on this. All it would take to cripple many SMBs is for some jerk to spin up a website that provides a nasty SAR template (that the users don't even realize is such a burden) that random people on the Internet can auto-send to every business they've ever used under some innocuous-sounding reason like "See what information businesses have on you!" 99% aren't using data against subjects' interests, so the net effect of this alone (in the way it is designed) is potentially-immense costs for small benefits.

As a recommendation, the $250 my company spent on buying me a membership to the IAPP has been one of the highest ROI decisions in recent memory. It has saved me a ton of time and effort (and the company quite a bit of money) from the member resources available, and the members listserv is essentially free light consulting from people who have already dug into everything.