GDPR is simply ahead of its time from an American perspective. Like Mobile Telephony in Europe when pagers were still a thing in the US.
In time the average american consumer will understand the monetary value of their PII and usage metadata and demand adequate protections - which effectively is all that GDPR does. Given the actions of the current cabinet, I feel we are in fact accelerating towards this inevitable outcome.
GDPR does more than demand protections. It demands data locality. It demands that encryption and access controls be done in a certain way. It backs up its demands (that are sometimes vague) with huge fines.
It really doesn't do anything more than mandate consumer side protection.
Data locality in legally compatible jurisdictions is the most fundamental form of protection there is. Without concepts such as Safe Harbour and data locality, handling of PII would be farcical amongst MNCs.
Re: Demands on Encryption? The most prominent mention of encryption is in Article 32(1)(a), which mentions the “pseudonymisation and encryption of personal data” as measures that organisations can adopt.
However, it is important to note that encryption is not compulsory. Instead, the GDPR takes a risk-based approach, meaning that the decision to encrypt data depends on the sensitivity of the data, the risks involved, and the potential impact on data subjects.
Backing up demands with fines is about the only way consumer protections are realised as corporate mandates rather than friendly advisory. Name me another comparable legislation that achieves its goals without resort to punitive measures for non-compliance?
In short, you would far better understand the intent, purpose, and reality of GDPR if you engaged with it as a piece of vital EU consumer protection legislation, rather than some sort of draconian shake-down of American Capitalist practices.
Ah excellent. Encryption is not compulsory, but doing a bureaucratic risk assessment of whether you need encryption is. That is so much less work.
In reality, GDPR is a jobs program for eurocrat auditing and consulting firms combined with an effort by Facebook and Google to prevent European competition. Note that GDPR fines are big enough that they can crush a small company, but small enough that Google wouldn't care.