[HenryBemis]

I am currently working in one of this multi-$bn companies. They run/are preparing GDPR.

So far I haven't found ANY person who has read the full 80 pages. Everyone is asking eveyrone else, they download whatever presentations they find on the internet, but NOT ONE have bothered reading the damn thing.

It will be a massacre for many companies, only because very few do their homework.

[closeparen]

Having engineers read and interpret regulation personally is not a remotely sane legal risk management strategy. Read the thing on your own time if you're curious, but the engineering work should start with specialized outside counsel/consultants and percolate down to engineers as company policy via the CTO.

You're onto something, though: in a corporate environment, the word "compliance" is a magic spell that disables all critical thinking skills within earshot.

[civilitty]

> You're onto something, though: in a corporate environment, the word "compliance" is a magic spell that disables all critical thinking skills within earshot.

Is that a bad thing? The vast majority of regulations exist because someone's "critical thinking" went too far in the name of profit.

[closeparen]

>The vast majority of regulations

Your mistake is assuming that the idea being sold internally under the heading "compliance" is required by, or even tangentially related to, an actual regulation.

[mikekchar]

I have a theory about this. It's a kind of intentional incompetence. You won't get praised in an organisation for implementing GDPR because it is seen as a cost. In some cases it is even restricting revenue (or at least making it more difficult). By only having a surface understanding of the issue, you can intentionally misunderstand it while later having a plausible excuse. When/if you have a big lawsuit directed at you, you can blame the summary websites, consultants, etc for being insufficient. Indeed, you can blame the GDPR for be "too complicated". "Even the experts got it wrong".

But if you read the law, claim to understand it and don't implement it properly, you are screwed. It's just another case where savy managers are avoiding personal risk at the expense of corporate risk.

[dboreham]

I'm going to add this syndrome to my growing list of "odd psychology in the software business" articles to write some day.

[return1]

the damn thing is more abstract than poetry. it s indicative that all these months, i have not seen a single article / presentation that provides a concrete example of how to shield a website.

[mikekchar]

The law is completely readable by non-lawyers, IMHO. It's one of the better written laws I've seen. But here's a website by the UK government that explains what all the terms mean and exactly what you have to do: https://ico.org.uk/for-organisations/guide-to-the-general-da...

[closeparen]

There are 28 member states. Under some circumstances, a company headquartered in the EU can have the headquarters country's authority act as its "one stop shop." But it would be a mistake for a foreign website to rely on the opinions of 1/28th of the agencies that might prosecute it.

[lixtra]

There is a missunderstanding on your part. The law is not what’s written but what the courts make out of it. Lawyers may have the experience to foretell that.

On the other hand I bet you have a better life with your belief until - if ever- you learn the difference the hard way.

Take the simple question: can you look at personal data on your monitor? What about Van Eck phreaking? Basically you are broadcasting the data. Do you need to protect against that?

Tell me what GDPR says about that.

[pilsetnieks]

The GDPR says that at the current state of technology it would take an undue effort to infringe someone's privacy in such a way, so the risk is unreasonable.

It's like worrying that someone will be struck by lightning because they're located on your property near an antenna you set up, and you'll be charged with murder because of that. Yes, it's possible, and about equally as likely.

[mikekchar]

It's worth noting, as well, that this part of the law hasn't changed at all. The changes to GDPR are about notification and a variety of rights. Protection for leaking data to unknown 3rd parties is exactly the same as it was.

[lixtra]

If using a 30 year old attack costing a few hundred bucks is considered undue effort then we are all save.

[1] https://en.m.wikipedia.org/wiki/Van_Eck_phreaking#LCDs

I would estimate the frequency of the attack similar to Lightnings killing people. I’m quite sure it happens but only in very small scale because you have to get so close to the victim.

[pilsetnieks]

If the customer is choosing to display his data on his screen while under risk of Van Eck phreaking, it's on him.

If you choose to display customer data on your screen while raising funds for launching a new cryptocurrency in the Sultanate of Kinakuta from sketchy Chinese generals, it's on you.