[arkh]

> I imagine a large number of companies flout the above without realising.

Most companies flout the 101 of GDPR.

Do you have a registry of the personal data processes you do? Are you able to hand it in less than 48h after receiving a request for them?

Do you do risk assessments when thinking about implementing a new data process?

And it's not only about electronic data. Paper files are concerned.

Yes it can feel like a lot but if you're handling people's personal data you should not be playing around. And if it's too hard, maybe "just" don't process personal data at all. Before GDPR we were already at a point where people just siphoned and stored people's data "in case it is useful later". Now some legislation is in place to make you think about why and how you get and store this kind of data, putting a price on doing it. It's a plus for the public.

Too bad if it does not help sell ads, scams or just abuse people.