[pjmlp]

The only way to make it part of the original requirements and not an afterthought is to start making it like in other industries.

Exemplary punishment for any security exploit gone wild.

Management will start getting the required resources to make it happen accordingly.

[stadium]

There is a risk that good intentioned regulations become a barrier to entry that only large, well-resourced organizations can meet.

For example, what if "management" is a one or two person startup?

Maybe punishment is not the answer, but rather liability insurance coverage requirements. Or treat it like workers compensation where a small tax funds an insurance pool. And make it so repeat offenders get charged an increasingly higher tax rate.

[pjmlp]

The same issues as one or two person restaurant startup have to deal with, for example.

When kitchen cleanliness, plumbing, food quality and preservation, cutlery, access for disabled people, ... becomes an afterthought, it is time to be shutdown by consumer protection government agency, usually they get one time warning though.

Or maybe not, depending on the country, but then expect what might be great food with interesting side effects.

[c1ll1an]

Definitely true that enforcement has to be proportional to both the infraction and the size of the organization.

However, I would argue that there are plenty of very small companies that also take advantage of that. i.e. very high growth, early stage companies with loads of vc backing that don't prioritize this because they're small and there's only two founders.

All I mean to say here is, again I'm not a regulator, however we do need a way to enforce against bad behavior.

In the 1950's no one wanted seatbelts, not car owners/public or auto manufacturers. Today no one would get in a car without seatbelts without thinking it was weird/crazy. Sometimes we have to enforce rules to drive change, otherwise bad behavior (particularly at large companies) goes unchecked.

[b3morales]

Penalties can be both severe and proportionate to revenue at the same time, as one option.

[c1ll1an]

Right b3morales - they can and should be proportionate to both size of company, revenue and the type of regulatory infraction - all of these must be evaluated but it doesn't mean we shouldn't enforce.

To take the restaurant example, a mom/pops restaurant may have less resource to bear for cleanliness and safety but if it consistently, knowingly persists in doing something that makes it's patrons ill - it is any less at fault than a chain of restaurants that does the same? The fine may be proportional to that organization - that's the goal with the GDPR's revenue % based fine format but it could/should go further for large companies that consistently fail.

[TeeMassive]

There's an old saying: "politics is downstream from culture". Well, so is privacy.

[c1ll1an]

That's an interesting one - I'm not sure I follow TeeMassive, do you mean to say that privacy is unimportant culturally?

If that's the case, we probably differ on POV a little so I'd love to know more about why you think this?

In my experience average people who don't work in tech (non devs) do not understand privacy or data use in a system - so it's hard for them to comprehend the potential impact. They're trusting people that work in tech (devs and others) to do the right thing and this is where the problem might be; we're being trusted to ensure we don't abuse or accidentally misuse a position of tremendous knowledge and power.

My parents certainly understand where/how their data is stored or used when they use their phone - aren't we then responsible for keeping those people who don't know safe?

[c1ll1an]

We're both agreed on this point @pjmlp - regulations must have teeth and that often takes time. I can't speak to it, as it's not my area of expertise but we also have allowed a type of golem to form, in that big tech is now "too big to fail" and many governments struggle with balancing their ability to enforce against the level of employment that tech provides their country (look at Ireland for a prime example of how tough this balance is)

TLDR; I agree with you, but I'm not a politician and can't effect change there, so I'll keep chasing a realistic solution that makes it easier for devs to do of their own accord as we (dev community) are pretty good at solving things when we turn our mind to it.