[mykull]

Lots of companies are ready for GDPR, i.e. the ones that handle user information responsibly in the first place, and aren't opaque data hoarders as a central part of their business model.

I'm personally not a fan of the "lets collect it because we can" mentality.

"Data is the new oil" is a great analogy because not only is it valuable, the industry of data gathering is booming with little to no care about the side effects or long term consequences.

Had the right to privacy been enshrined in protective laws much earlier, requiring explicit consent to profile peoples behavior as it pertains to technology, things would obviously be a lot different. Obstacles often represent opportunities for improvement. Hypothesizing:

1. Alternatives to traditional advertising as a method for creating markets for products and services would have a better chance of taking off. A world where we have a relationship with the source of product/service introductions, where we can discriminate and depend on them to discriminate, could prevent a lot of manipulative, misleading and damaging crap from reaching people, and ensure demand goes to the highest quality products/services.

2. The difficulty of gathering would drive the value of peoples personal information higher, likely leading to better protection i.e. more careful handling, fewer data breaches and leaks.

3. A lot of "wasted effort" gathering and storing information as part of this data frenzy that ultimately doesn't provide value to anyone, despite all the moving money, could have been avoided.

[andybak]

> the ones that handle user information responsibly in the first place, and aren't opaque data hoarders as a central part of their business model.

Do you only acknowledge the existence of these two categories? So only "data hoarders" would struggle with becoming GDPR compliant?

I've got clients in the charitable sector having to reconfirm their entire contact list - 99% of whom would be happy to stay in touch - because the provenance isn't up to GDPR standards. We're expecting to lose most of those because people forget to respond to yet another GDPR request.

Expensive audits and code reviews, re-architecting parts of the system that accidentally record fairly innocent personal data (IP addresses in logs and backups, historical shop order data, Test data copied from live data. Staging servers and all the other places that data ends up in when a website has been around for a decade or more)

Yes - this data could potentially be misused and it would have been wonderful to have anticipated when the system was originally built but that was in a more innocent age and nobody could have made a business case for it back then.

I would argue that the cost to organisations (many of whom are non-profit) vs the benefits to users is fairly out of kilter. Protecting user data perfectly is a noble aim but perfection costs.

[mykull]

No, I was a bit hyperbolic perhaps in response to the tone of the article or its headline. Of course there are responsible organizations who are affected and have costs associated with GDPR. Knowing nothing of what your clients do, 99% seems a bit hyperbolic to me, too. The reason email is so "hard" is because in reality not many people want to get the emails being sent. I find it annoying that I have to unsubscribe from a mailing list and sometimes even go out of my way not to get repeat snail mail when I'm being charitable and giving a donation to someone. Aside from all that, costs of doing business happen. I don't think the cost vs benefit is so out of kilter as you say.

[andybak]

I'll put my hands up to 99% being hyperbolic. ;-)

I do worry that a lot of GDPR compliance will amount to "box ticking" rather than a genuine improvement in user privacy.

Legislation is a blunt instrument and it's hard to get sizeable real world benefit from a heady mix of noble sentiment and complex statute.

[mykull]

That is a fair concern.