[jacquesm]

This is because often the perception is that it works. Even the GDPR contains some subtle mistakes. In the case of a breach it is the controller that is responsible for reporting the breach to the DPA of the country where they reside, but it is the processor that usually becomes aware of the breach. So processors that don't report breaches to their customers are giving plausible deniability to the controllers they work with that everything was just fine.

This is very frustrating because it is obviously not how things are intended to work but that's how less savory characters interpret it and so far they are getting away with it in most cases. The result is a whole slew of breaches being wiped under the carpet.

[chiefalchemist]

> This is because often the perception is that it works.

Yes. But how can this idea persist? I mean one of life's basic rules is: No one care more about you than you. To pretend otherwise is silly. At a company level (read: bebolden to shareholders) its borderline negligent.

Wishful thinking worked in kindergarten. It's not something working adults should be embracing so strongly. Right?

[jacquesm]

Well, yes, right, but that doesn't seem to stop anybody. I even see this sort of stuff in the boardrooms of companies that should know better. I don't know what drives it, maybe some sense of reinforcement from getting away with similar stuff in the past?