Constantly trying to whitewash over the fact that GPDR is a huge pain in the ass and will involve a lot of work for a lot of companies is what I don't understand, but Mr. Mattheij has been doing it for months, so that's evidently very important to him for some reason.
It's chewed up a few weeks of active development time putting in features for purging and exporting anything that looks like it might be personal information, plus a considerable magnitude more hemming and hawing and trying to figure out if, how and to what extent the regulations apply to us, and how the customers that we sell our products interpret the regulations and what features they require for their interpretation of compliance. It's a big headache, especially where we are also dealing in industries that have conflicting data retention requirements.
If we didn't have EU-based customers with sufficient sales to justify the effort, there are a thousand and one other things that we could have better spent that time and energy on.
One might argue that your company doing the "custodial" data work over the past few weeks and building in the mechanisms in order to handle that data in a more nuanced way is something that should have been done beforehand, and that the fact that you had to take time out to look at it means the law is doing exactly what its drafters wanted it to do.
Of course there are 1001 things YOU deem more important. All that says to me is that your interests and priorities are not aligned with how people in the EU want their data handled.
The WHOLE POINT of GDPR is that many companies have continually pushed PII data handling down their list of priorities. As a result, the EU has decided to step in and use a law to bring it back up the list.
I don't think he whitewashes that it's a burden. But he does try to address some of the panic and hysteria.
I care about privacy. Perhaps Mattheij does as well, and that's why this is important to him. If you agree with the spirit of the legislation, then I think you should also consider this a great opportunity to do the right thing, instead of a hassle.
Oh man, the rest of us are so sorry that you are now required to responsibly handle personal information.
To quote the author:
> Then automate it. If you could automate the collection of the data in the first place then you definitely can automate the rest of the life cycle. There is no technical hurdle companies won’t jump through if it gets them juicy bits of data but as soon as the data needs to be removed we’re suddenly back in the stone age and some artisan with a chisel and hammer will have to jump into action to delete the records and this will take decades for even a small website. Such arguments are not made in good faith and in general make the person making them look pretty silly after all nobody ever complained about collecting data, in fact there are whole armies of programmers working hard to scrape data from public websites which is a lot more work than properly dealing with the life cycle of that data after it has been collected. So yes, it is a burden, no, the burden isn’t huge unless you expressly make it so but that’s your problem.
I am happy the author is fighting the power. However since most of us live in society we generally would prefer less chaos.
The difference between investment to collect data and investment to protect dat is there is no ROI for compliance (in any compliance domain) so the capital is not easily available.
Instead of punishing companies for existing in the universe and subject to the laws of thermodynamics, the most effective compliance regimes help transition companies proactively to lower the pain which will lower the cost to GDP and thereby angst from human beings.
The GDPR body won’t even answer basic questions like whether IP addresses need to be retained or not because of the competing requirement of the EU security directive.
They have had 23 years too to prepare for this change. And they own the privacy directives. You’d expect them to be better prepared themselves. But they are being kind of arrogant and unhelpful. I suspect because they know they did not make a perfect law and they will figure it out in case law later. This capriciousness is also super annoying.
> The difference between investment to collect data and investment to protect dat is there is no ROI for compliance (in any compliance domain) so the capital is not easily available.
And now GDPR can bundle both together, so that the ROI for collecting data pays for the cost of handling it reasonably, because otherwise you can't collect it.
It levels the playing field and fixes the broken incentive structure around data collection.
It's chewed up a few weeks of active development time putting in features for purging and exporting anything that looks like it might be personal information, plus a considerable magnitude more hemming and hawing and trying to figure out if, how and to what extent the regulations apply to us, and how the customers that we sell our products interpret the regulations and what features they require for their interpretation of compliance. It's a big headache, especially where we are also dealing in industries that have conflicting data retention requirements.
If we didn't have EU-based customers with sufficient sales to justify the effort, there are a thousand and one other things that we could have better spent that time and energy on.