There have been some wins from GDPR, but it’s woefully under enforced. I became very familiar with the GDPR when I did an internship in the regulatory risk department of a big bank when everyone was frantically trying to rebuild shit to ensure compliance. I think it’s a damn good piece of legislation, and it’s a shame to see it doing so much less than it could be.
i also think the idea of gdpr is good in principle but if a legislation is unenforced and/or unimplementable then it is effectively useless. and gdpr is a case of mostly unenforced because it is practically unimplementable.
for example no company can reasonably implement the right to delete users data (one pf the core principles) when requested… at least not in the extent as it is defined in gdpr (i work as a data engineering manager and trust me, we tried, in every company i worked for…). it is a similar task in scope as if an author of a typesetting font suddenly had the right to revoke your permission to use random letters from their font… and when they did it you would be expected not only to stop using it immediately, but somehow remove it from all of your existing documents including printed copies and copies you sent out to your clients and suppliers (dear supplier, could you, please, replace the invoice we sent you last year with this attached copy add shred the one we sent you originally? we replaced all instances of letter “a” with different font…).
i gave the example with data deletion. deleting someone’s data means also deleting or altering data products derived from it - like statistics, machine learning models etc. which are, in turn, used to create different data products and so on. which are shared, stored and processed beyond the company with different partners (called processors, which may have processors of their own that not even the original data controller needs to be aware of). and you as the primary data controller are technically reaponsible for all of it everywhere. and erasure or withdrawal of consent is the easy case… data subject can, in principle, withdraw consent only for specific purpose or specific processor.
Hm, alright, I can see that - but to me, this is an example of business practices that the GDPR is explicitly trying to restrict. Of course it will be difficult to delete someone’s data if you’ve been sharing it with many other companies.
We definitely encountered challenges, like rouge data sets from silod teams, rehydration of backups, etc. but we managed to comply with the right to be forgotten. And these are large companies. If someone as a data engineering manager admits to not being able to do it? Well thats either a resourcing problem, a negligence problem, or a skill issue.
There have been some wins from GDPR, but it’s woefully under enforced. I became very familiar with the GDPR when I did an internship in the regulatory risk department of a big bank when everyone was frantically trying to rebuild shit to ensure compliance. I think it’s a damn good piece of legislation, and it’s a shame to see it doing so much less than it could be.
i disagree on a technicality.
i also think the idea of gdpr is good in principle but if a legislation is unenforced and/or unimplementable then it is effectively useless. and gdpr is a case of mostly unenforced because it is practically unimplementable.
for example no company can reasonably implement the right to delete users data (one pf the core principles) when requested… at least not in the extent as it is defined in gdpr (i work as a data engineering manager and trust me, we tried, in every company i worked for…). it is a similar task in scope as if an author of a typesetting font suddenly had the right to revoke your permission to use random letters from their font… and when they did it you would be expected not only to stop using it immediately, but somehow remove it from all of your existing documents including printed copies and copies you sent out to your clients and suppliers (dear supplier, could you, please, replace the invoice we sent you last year with this attached copy add shred the one we sent you originally? we replaced all instances of letter “a” with different font…).
Could you expand on some of these challenges? We haven’t had these issues in any companies I’ve worked at, but those were mostly on the smaller side.
i gave the example with data deletion. deleting someone’s data means also deleting or altering data products derived from it - like statistics, machine learning models etc. which are, in turn, used to create different data products and so on. which are shared, stored and processed beyond the company with different partners (called processors, which may have processors of their own that not even the original data controller needs to be aware of). and you as the primary data controller are technically reaponsible for all of it everywhere. and erasure or withdrawal of consent is the easy case… data subject can, in principle, withdraw consent only for specific purpose or specific processor.
Hm, alright, I can see that - but to me, this is an example of business practices that the GDPR is explicitly trying to restrict. Of course it will be difficult to delete someone’s data if you’ve been sharing it with many other companies.
We definitely encountered challenges, like rouge data sets from silod teams, rehydration of backups, etc. but we managed to comply with the right to be forgotten. And these are large companies. If someone as a data engineering manager admits to not being able to do it? Well thats either a resourcing problem, a negligence problem, or a skill issue.