> Fine, we now have an engineer building GDPR features instead of features that benefit our customers.
I am not finding any shred of sympathy for your story. To me this sounds approximately as evil as saying you are a pipeline company having to comply with all of those pesky environmental and occupational regulations by spending money on worthless safety features for people working and living on or around the pipe, and that none of this benefits your customers: the oil companies.
Yes: you built a bunch of software around a specific set of assumptions about what you were allowed to do, and in the process you took advantage of cost savings by ignoring externalities such as information privacy, and now that this law exists you will be negatively affected. However, the point of this law is to say what you were doing was NOT OK and that future companies should not do this and existing ones had better figure out a way to stop doing this.
In a perfect world, everyone would have built these featurs in to their systems without this law, but they didn't, so now you all are going to get punished. If your business is still possible (and I have no particularly care if it isn't) and any of your competitors had spent the in your mind wasted effort making sure this was possible in the past, then I am not just OK with but extremely delighted that they will now have a competitive advantage over you as you scramble to retool.
You are essentially asking for sympathy here without first taking a step back and showing that any of what you were doing was not just expedient for you, and not just beneficial to you, but that it was also simultaneously what people other than you deserved: the presumption here is that you are the villain, and it is really hard to ask for sympathy from that position, and I can tell you all you are doing from my reading is digging yourself a deeper pit.
You seem to be responding to an entirely different GP post to the one I read, which seemed pretty clear that the GP's company isn't doing the kind of tracking and analytics that a lot of people might say were "NOT OK".
It's easy to post bold privacy advocacy from the cheap seats, but I suspect you wouldn't like a world where these new rules really were enforced to the letter. Many of the organisations whose products and services make your life better in some way would most likely cease to exist, and the economy on which your personal quality of life depends would surely take a huge hit.
GP's company isn't doing the kind of tracking and analytics that a lot of people might say were "NOT OK".
GP's company isn't doing the tracking and analytics, but it is pulling data from companies that do. Therefore, regulations that affect GP's customers affect GP. This is right and proper, and I don't see what the problem is.
This is right and proper, and I don't see what the problem is.
The problem is that it will be almost impossible to comply with the letter of the law in this case without either imposing prohibitive levels of overhead or disregarding other good practices like logging diagnostics and keeping robust backups in case things go wrong.
There's a saying about babies and bathwater, but this is more like requiring the entire house to be rebuilt in order to throw out the bathwater. Sure, you can do it, but it's much easier to say that when it's someone else's manual labour being paid for by someone else's money that will make it happen.
The problem is that it will be almost impossible to comply with the letter of the law in this case without either imposing prohibitive levels of overhead
If the business requires this much overhead in order to internalize the data-externalities that it's generating, the business does not deserve to exist. Privacy violations are an externality, just like pollution, climate change, or deforestation. The way we deal with these externalities is through regulations and taxes that force businesses to internalize the costs they're imposing upon the rest of us. OP's business is like a chemical plant that gets its feedstock from polluting suppliers. If pollution regulations make the feedstock prohibitively expensive, then it's a signal that the existing process for making the product product wasn't providing a net economic benefit to society, and that the process needs to be either reengineered or shut down. By the same token, if privacy regulations make your product unprofitable, then your business model either needs to be reengineered, or you need to shut down.
There's no rule saying that cities have to be covered in smog. Likewise there is no rule saying that online media has to be funded through advertising. In the case of pollution, externalities that appeared to be inevitable turned out to be the result of choices resulting from economic incentives. When regulation changed the incentives, the externalities were massively reduced (as evidenced by the fact that Pittsburgh today has some of the best air quality in the US). I'm confident that the same is true of online media. The only reason that it's funded by privacy-violating advertising is because privacy-violating advertising is the cheapest and easiest business model. But if you take that off the table, businesses will be forced to innovate and come up with new payment structures that better align their interests with those of their customers.
If you want to work with other people then at some point you will often have to share some information with them so you can work together. Privacy can't be measured only in terms of absolute control over who has information at all. As a practical matter, it has to be more nuanced, also working at the level of how someone is allowed to use information given to them.
Now, there's plenty of scope for debate about that, for example in what uses should be accepted as reasonable by default, what should require explicit consent, and what should be subject to someone opting out even if it's allowed by default. Much of the data protection framework in Europe, both past and near future, exists in this space.
But there also has to be a balance, because if you start assuming ill intent and trying to prevent anyone from doing anything with personal data just in case it might be leaked or abused in some hypothetical future, you stop being able to work with other people effectively at all. In this context, paranoia is no more helpful than complacency.
I am not finding any shred of sympathy for your story. To me this sounds approximately as evil as saying you are a pipeline company having to comply with all of those pesky environmental and occupational regulations by spending money on worthless safety features for people working and living on or around the pipe, and that none of this benefits your customers: the oil companies.
Yes: you built a bunch of software around a specific set of assumptions about what you were allowed to do, and in the process you took advantage of cost savings by ignoring externalities such as information privacy, and now that this law exists you will be negatively affected. However, the point of this law is to say what you were doing was NOT OK and that future companies should not do this and existing ones had better figure out a way to stop doing this.
In a perfect world, everyone would have built these featurs in to their systems without this law, but they didn't, so now you all are going to get punished. If your business is still possible (and I have no particularly care if it isn't) and any of your competitors had spent the in your mind wasted effort making sure this was possible in the past, then I am not just OK with but extremely delighted that they will now have a competitive advantage over you as you scramble to retool.
You are essentially asking for sympathy here without first taking a step back and showing that any of what you were doing was not just expedient for you, and not just beneficial to you, but that it was also simultaneously what people other than you deserved: the presumption here is that you are the villain, and it is really hard to ask for sympathy from that position, and I can tell you all you are doing from my reading is digging yourself a deeper pit.