> bake privacy into your company from the start. Create a culture that takes it seriously and threads it through everything it does.
Replace "privacy" with "security" above, and you'll get the widely accepted best practice approach: "you cannot bolt on security later", etc. Likely it will work for privacy equally well.
It also works for performance, reliability, UX quality, etc. What GDPR does is forcing business to make privacy their core concern. Since time & budgets are inherently limited, this will come at the expense of something else.
> What GDPR does is forcing business to make privacy their core concern.
Not really. It will mostly be a problem for companies which use a lot of SaaS services with no on-premise solution and companies in the business of selling their users data. Not gonna shed a lot of tears for those.
In the same way that AWS wasn't originally certified for government work, and then developed GovCloud: they realized there was a lot of money in it.
If supporting GDPRs is a requirement for having European B2B customers, SaaS providers are going to start certifying against and architecting around that.
Actually what it did for me was allow me to ignore the EU entirely. This makes my implementation more simple since I don’t have to focus on the GDPR and can ignore the localization crap from having 2 versions of English.
Careful, the EU is a big market. If you exclude the EU, and get big enough, someone can just copy your business, but abide by EU law. Suddenly you have a compeditor who has access to a large market that you don't have access to.
this is extremely true from a network security perspective for new ISP infrastructure as well. It is very "easy" to start forming layer-2 and layer-3 adjacency between things geographically distributed around a city/state sized area without much regard to security. Will create a huge amount of work to come back and fix later. Whereas if you design the architecture from the start with security in mind (how you're going to deal with your management VRFs, monitoring systems, OOB authentication, NOC and neteng access to stuff in private IP space, etc) it will be much easier to scale.
Replace "privacy" with "security" above, and you'll get the widely accepted best practice approach: "you cannot bolt on security later", etc. Likely it will work for privacy equally well.