[kinsomo]

> Basically, you can't stop a big company from getting hacked no matter how much you spend on security.

I never said anything to the contrary, but the observation is irrelevant. You can't stop all pollution, but that doesn't mean you shouldn't pass regulations that ether ban it or impose liability for it.

[repolfx]

That's an invalid metaphor. The point behind regulating specific types of pollution and fining companies that emit it is in fact to completely eliminate it. When total elimination isn't possible regulators have taken alternative approaches, like phase outs and carbon trading schemes.

The GDPR authors appear to believe that not being hacked is merely a matter of choice, despite all evidence to the contrary. They are clearly dangerously delusional. If even Google, with its pick of the crop, unlimited budget and massive security team, cannot avoid being hacked, then nobody else has a chance.

[DanBC]

Regulators don't care if you're hacked.

What they care about is how much data you had (and did you need all of it), did you tell the users, have you put things right, had you done anything to protect the data?

If you have a lump of data that you don't need, that you store with no attempt at encryption, and it's held behind software that you haven't bothered to update even though security patches have been released then yes, you're going to be regulated.