Yes, it has tons of regulation which at least from my experience is very difficult to implement. I used to work for a company that basically barely knew what info they stored about anyone; and they also had long relationships with tons of clients. It was virtually impossible to follow GDPR in that company, but for some reason they wanted to show everyone that they were "best in class", since they handled a lot of financial info etc. It basically just ended up with some fancy web-pages proclaiming that we were serious about GDPR, but nothing else materialized.
The cookie-banner just seems like a very strange "security" measure; but GDPR seems very strange as far as I can tell. It was sparked by the "forget me" campaign a few years ago I guess, and most people probably agree with the intent, but it has led to very strange set of rules.
> that basically barely knew what info they stored about anyone
Aha, might have been the core problem, wouldn't it?
> It was virtually impossible to follow GDPR in that company
So, sounds like the regulation worked exactly like expected? If you're not following proper procedures for storing data, it should be hard to comply with a regulation that is trying to force you to have proper procedures for storing data.
A bit like complaining that fraud is hard because of those pesky police officers. Yes, this is the intention.
> The cookie-banner just seems like a very strange "security" measure
The whole cookie-banner thing is vastly misunderstood by companies, and at best just malicious compliance. Again, not the fault of the regulation but the companies who don't put users best interest first, but their own. Hard to blame them though, that's the purpose of their existence after all, most of the time.
> A bit like complaining that fraud is hard because of those pesky police officers. Yes, this is the intention.
GDPR did not lead to any actual changes for the company, except they set up a fancy web-page about how serious we where about GDPR. That's the intention?
Many companies cannot possibly remove the info GDPR demands, as they barely know they have it, and they will use minimal efforts to fiddle with this stuff. From what I saw, GDPR is just another example of legislation, that looks good on paper; and the intention is certainly good. But no real change followed; at least where I worked.
The intention, I believe, is that it discourages from collecting superfluous data. The easiest way to address the GDPR is to not collect any data at all. If you do, then it becomes harder.
> as they barely know they have it, and they will use minimal efforts to fiddle with this stuff.
Big companies have a real incentive to act. I believe the GDPR has forced BigTech to make at least some changes, because it was better to make those changes than to pay the fine.
In my experience, smaller companies don't really care and don't really want to know, and tend to collect as muich data as they can just because they can and "it may be useful later". Many times they never use the collected data.
> is that it discourages from collecting superfluous data
Wouldn't that require some kind of actual policing? Here (in Norway) at least, police does not use any of their time trying to access random data systems looking for personal info stored in violation with GDPR. This is not something anyone fears, so as long as you say you are OK, you are OK.
> Big companies have a real incentive to act.
The company I worked for was almost as big as they come here in Norway (handled extremely sensitive personal information also). We are full of clown tech companies here as well (just like your 'Epic Health Journals' etc.). These kind of companies cannot comply with these types of rules, they cannot even make their own systems work properly.
> Wouldn't that require some kind of actual policing? Here (in Norway) at least
Maybe a dumb question, but have you actually reported the company to your DPA? I think the DPAs have some agency to perform investigations on their own, but currently they're mostly acting on user complaints, whistleblowers and self-reporting by the organization itself, so if none of the people involved (on either side) reports the organization, the DPA won't know where to even begin.
Seemingly you have a good inside view with clear evidence of breaking GDPR, so I assume you've reported this organization then?