[burntoutfire]

We didn't lose that much because I suspect big business in Europe is largely ignoring the more difficult parts of the GDPR. I work for a large bank that is totally non-compliant with GDPR and does not really even have a strategy for getting there. My impression is that we (the bank) looked at the draconian requirements of the bill, realized that, with the total mess that the IT of the bank is in, implementing GDPR would cost billions, and just sort of gave up. It looks like we wait for the regulators to fine us and hope that it won't be a nine figure fine.

[Dylan16807]

Which parts are so difficult? Trying to find all the data about a user in the system?

I have some sympathy for an giant mash of databases like that.

I have no sympathy if someone claims that adding a tracking toggle to a single web site is too hard.

[erik_seaberg]

Normally it's hard enough to ensure that you have retained an authoritative copy of data, but now it's even harder to ensure that you have destroyed every incidental copy throughout the org on short notice. Then there's the bureaucratic "prior consultation" that will delay launches by months …

[burntoutfire]

Two major issues that I can remember offhand:

1. Deletion/rectification of all copies (that includes backups!) of personal data on demand. We currently are not sure where (in which systems) we store all that data, not to mention adding features to delete/update all data on request in each of those systems.

2. The requirement to complete description of all processes within the bank which touch personal data. That involves creating a fuckton of documentation, a lot of it for systems where required knowledge is missing (i.e. no one is quite sure how they actually work).