[_Codemonkeyism]

Well, I made some input to data protection agencies and got some feedback, so I'm rather happy on how things do progress.

That said I assume nearly all companies out there are not in compliance. To the point of the article, privacy policies are mostly not detailed enough and it will take some time before companies come into compliance.

This is the trade off between a strict PCI level compliancy policy with a strict checklist of things to do and the "vague" GDPR compliancy which was created that way to be independent of technology changing over time. The downside is it's not clear how to be really compliant and companies do the very minimum on what they think they get away with.

Also there are so many huge violations, that yes, the data protection agencies can't cover everything, so they start from the top with the companies that get the most complaints (1&1 getting a 10M EUR fine) or have the biggest missteps. I assume the Buchbinder fine will be much larger than the 1&1 fine, and it will for the first time proof to companies that they are still responsible when they hire an IT company to manage their data - which was the point of the parent.

Until the GDPR arrived data leaks were just "Ooopsy" moments to companies. This culture has festered for decades and it will take some time to change.

And my comment was to the parent "and the information they sell to the end user? Is it secretly there deep in some terms of service" where the GDPR requires you to tell people what you do with the data in terms that they understand it without obfuscating the message or hand weaving. I would have wished that companies need to open their process directory to the public though.