| HN Mirror

That’s just not true. I’ve consulted with a few privacy legal agencies and spent a lot of time evaluating the law. Some sections are even worded in a way to allow wiggling room for prosecutors, or require good will on your part. What would even be supposed to happen if you weren’t „compliant“? In the end it’s always about specific kinds of misconduct, and that means fines. The amount of a fine depends on the severity of the misconduct. The GDPR isn’t different at all from other laws in that regard.

If you’re found to be in breach of the GDPR, the severity of the breach as well as the amount of negligence or malevolence on your part is taken under consideration to decide on the fine. The prosecuting attorney also doesn’t have to actually fine you if it’s clear you put in effort and acted in good will.

For a concrete example, a startup usually isn’t required to provide a fully fledged data deletion policy, but if you cannot roughly outline how you intend to handle people’s requests to delete their data, that doesn’t look good. If you don’t even have some sort of privacy policy on your website, that looks worse.

Nobody can implement the GDPR 100%. But you can try to handle data responsibly, and if someone discovers you don’t and you try your best to fix the error (which is on your part, mind you), nothing draconian is going to happen.

And we’re still talking about basic respect towards your users or customers here, it’s not like someone asks something ridiculous of you.