I work at a BigCorp and we are taking this very seriously, adding processes and new retention policies to all internal datasets, and reconsidering our interactions with partners.

Was going to say the same thing. I work in ExtremelyBigCorp, and people are obsessing over GDPR.

Similar BigTechCorp, everything around me has been GDPR for almost a year. Deadlines are coming up, there are entire teams dedicated to following them up.

A slightly different point of view: I work for a company whose one of our products is related to identity and access governance and we have a large number of ExtremelyBigCorps from all around the world throwing A LOT of money at it (except Oceania, I don't think we have any clients there).

Maybe. Maybe not.

I know that there is a HUGE concern about the fines that can be used to backup GDPR.

I know of US companies that have a EU presence legally (but with little income from EU) that are considering just blocking EU traffic as a way to stay safe and smallest over-head.

Or you could just run a semi-competent data operation...

That really isn't the only reason the gdpr can cause headaches you'd rather avoid.

That's fine, businesses have that choice. Hopefully, GDPR gives people a choice w.r.t what happens with their data.

Many countries in the EU have a great standard of living by focussing on individual's rights vs companies. Well, I say focussing. From our perspective, it's just normal and a good balance. But if you live in a country where companies can screw you over in a million ways ("at will" employment, arbitration, NDAs, etc.), maybe such rights might seem a bit alien.

No, I mean my understanding of the law is unclear because the law itself is. It'll take a few court cases to hammer out most of the clearifications. Once it's better understood or made to be like the pci that literally spell out steps to take for minimum compliance it'll be a headache at best.

Fair enough, although how is this different from other laws? If laws were obvious, there'd be no lawyers or judges.

And if you've tried to comply with the law, but unintentionally fail to handle some edge-case with low impact, the sanctions are pretty light (e.g. a warning letter). It's not draconian, as long as you don't cut corners.

Most laws aren't so far reaching and the vast majority in terms of regulatory scope have been flushed out. These same issues do happen with any new broad far reaching regulations. This is one of the first that is both a significant increase in regulatory burden and that deals with, ostensibly, the global tech market.

Also, the fines here can be real money, which also isn't often the case. That plus the lack of clarity are why people are concerned about it.

Basically they're worried that you can do everything right and still be wrong because everything isn't well defined and is very difficult to define.

As a citizen of an EU country, I’d prefer to have the choice from as many companies as possible, and to decide myself whether I do or do not mind sharing my data with a company. This will reduce my choices.

I also disagree with you that the EU regulations are a good balance - it’s skewed way too far towards over-regulation.

That's just a band-aid though: they're effectively gambling that data protection laws won't ever come in effect in the US and Canada, all the while locking themselves out of expanding into the EEA market.

After the Equifax thing it's not looking like a very solid bet.

You right businesses will do enough to pass the sniff test, the sad thing is that is more than what they have been doing.

GDPR has teeth.

While some outfits may blithely whistle past the graveyard - do you want to become the precedent that starts paying the % of revenue fine for non-compliance?

I'm just a random privacy-centric geek, and I'm getting spam about GDPR compliance.