> is that it discourages from collecting superfluous data
Wouldn't that require some kind of actual policing? Here (in Norway) at least, police does not use any of their time trying to access random data systems looking for personal info stored in violation with GDPR. This is not something anyone fears, so as long as you say you are OK, you are OK.
> Big companies have a real incentive to act.
The company I worked for was almost as big as they come here in Norway (handled extremely sensitive personal information also). We are full of clown tech companies here as well (just like your 'Epic Health Journals' etc.). These kind of companies cannot comply with these types of rules, they cannot even make their own systems work properly.
> Wouldn't that require some kind of actual policing? Here (in Norway) at least
Maybe a dumb question, but have you actually reported the company to your DPA? I think the DPAs have some agency to perform investigations on their own, but currently they're mostly acting on user complaints, whistleblowers and self-reporting by the organization itself, so if none of the people involved (on either side) reports the organization, the DPA won't know where to even begin.
Seemingly you have a good inside view with clear evidence of breaking GDPR, so I assume you've reported this organization then?
Wouldn't that require some kind of actual policing? Here (in Norway) at least, police does not use any of their time trying to access random data systems looking for personal info stored in violation with GDPR. This is not something anyone fears, so as long as you say you are OK, you are OK.
> Big companies have a real incentive to act.
The company I worked for was almost as big as they come here in Norway (handled extremely sensitive personal information also). We are full of clown tech companies here as well (just like your 'Epic Health Journals' etc.). These kind of companies cannot comply with these types of rules, they cannot even make their own systems work properly.