[av501]

It is a function of incentives and punishments. The nature of the company you are in and the risk the org is willing to bear plays out. I work for one that puts in a lot of effort to get rid of all the user data if they request a deletion based on the laws of the country they are from which we can expand to any user as needed. Whenever we have found gaps in our existing data storage, we go back and really try to clean it up. However there is a lot of legacy that surfaces out time to time.

   The reality is doing this is messy and is going to remain so for some time.  One cannot suddenly start after years of no incentives in the online economy to do this and get to cover all areas without huge cost. This requires giving up competitive advantage today. Mid to small organisations that were beyond startup state but not yet having 1000's of engineers, which have to balance growth and operational aspects are left in the most difficult situation. As the laws started taking hold, their incentive structure is still not fully aligned with this as the digital economy does not yet reward them for this enough nor does enforcement create a large enough risk yet.  Same thing plays out with some of the larger orgs, just that they have more lawyers to help them stall this as humans are always biased to keep the status quo if it is beneficial to them.

   Personally I think we've had a start but its going to take some time to get to where we need to be. I really applaud the idea of the privacy laws and the intent behind them. Its just that one has to recognise we won't be getting to a state of good behaviour within a few years after a couple of decades of not having those requirements baked in from the get go.  Old habits have to be replaced as well. The enforcement is hard and that will be something that has to be bubbled upwards from the ground up by users themselves to create a digital economy where consumers/users reward those that respect their privacy. It is just not yet that way today, so why would the organisations change? The risk is low as enforcement is hard and the user demand is not enough.

   Most successful would be attempts by large organisations such as Apple and laws like GDPR which forces developers and companies to change their thinking. By asking for change and continuing to iterate on that you can start seeing a slow move towards development practices that will have privacy by default. You need the whole chain of actors to move towards this: The product managers, the engineering leads and architects, the decision makers, the risk assessors. Once enforcement is more steady alongside more demand from users the balance will come. All of this moves slowly whether we like it or not.

(edit - grammar and made some long sentences shorted)