Throwaway since I don't want to involve my employer.
I actually work for a platform that is squarely in the GDPR crosshairs (digital marketing). There are a lot of things where our lawyers' perspective is different from what most people say here (I didn't talk directly to lawyers, but I presume product managers did).
- You don't have to comply in 2018, you have to show that you started seriously working on a solution, even if you're not fully prepared.
- You don't have to have automated processes for everything (e.g. delete from backups), it's actually perfectly reasonable to say "we'll process your request" and do it manually (ref: startups spending inordinate amounts of effort for GDPR compliance).
- Opt-in is not as "game changer" as suggested here, my understanding is that you can do implicit consent (notify the user about what you do, give them a link to take action; crucially, that link might even be the link to your privacy policy which contains the link to the opt-out interface... if I got this right - and I think that I did - this may not amount to much more than a slightly modified "this site uses cookies" thingy).
- Delete requests may be handled by "de-identification" (don't delete the data, delete the association with you).
- Related to that, while I don't have a definitive answer, I strongly suspect that GDPR only applies to information that can be positively associated with you (e.g. authenticated activity). I'm not obliged to show you anonymous browser activity/information that I've probabilistically associated with you, for the simple reason that I might be wrong and I might disclose sensitive information (think about girlfriend looking up "what does Amazon know about me" and finding up that "she is interested in an engagement ring" because you anonymously browsed from her computer, thus spoiling your surprise even though you were careful to delete your browser history/ browse anonymously. Yes, incognito mode doesn't necessarily help you - we do efforts to identify server-side the incognito sessions and de-link them from the probabilistic marketing profiles, because we don't want to negatively-surprise the customers; but I suspect not all players are that careful).
Overall... despite what many people think, I think big players are actually fairly careful/sensitive about your privacy (well, if we exclude Facebook here :D ). It's the startups that would concern me more... they have very little incentive to guard your data well, because there are so many OTHER reasons why they might fail, that "privacy disaster" is very low on their list of concerns.
I actually work for a platform that is squarely in the GDPR crosshairs (digital marketing). There are a lot of things where our lawyers' perspective is different from what most people say here (I didn't talk directly to lawyers, but I presume product managers did).
- You don't have to comply in 2018, you have to show that you started seriously working on a solution, even if you're not fully prepared. - You don't have to have automated processes for everything (e.g. delete from backups), it's actually perfectly reasonable to say "we'll process your request" and do it manually (ref: startups spending inordinate amounts of effort for GDPR compliance). - Opt-in is not as "game changer" as suggested here, my understanding is that you can do implicit consent (notify the user about what you do, give them a link to take action; crucially, that link might even be the link to your privacy policy which contains the link to the opt-out interface... if I got this right - and I think that I did - this may not amount to much more than a slightly modified "this site uses cookies" thingy). - Delete requests may be handled by "de-identification" (don't delete the data, delete the association with you). - Related to that, while I don't have a definitive answer, I strongly suspect that GDPR only applies to information that can be positively associated with you (e.g. authenticated activity). I'm not obliged to show you anonymous browser activity/information that I've probabilistically associated with you, for the simple reason that I might be wrong and I might disclose sensitive information (think about girlfriend looking up "what does Amazon know about me" and finding up that "she is interested in an engagement ring" because you anonymously browsed from her computer, thus spoiling your surprise even though you were careful to delete your browser history/ browse anonymously. Yes, incognito mode doesn't necessarily help you - we do efforts to identify server-side the incognito sessions and de-link them from the probabilistic marketing profiles, because we don't want to negatively-surprise the customers; but I suspect not all players are that careful).
Overall... despite what many people think, I think big players are actually fairly careful/sensitive about your privacy (well, if we exclude Facebook here :D ). It's the startups that would concern me more... they have very little incentive to guard your data well, because there are so many OTHER reasons why they might fail, that "privacy disaster" is very low on their list of concerns.