It's chewed up a few weeks of active development time putting in features for purging and exporting anything that looks like it might be personal information, plus a considerable magnitude more hemming and hawing and trying to figure out if, how and to what extent the regulations apply to us, and how the customers that we sell our products interpret the regulations and what features they require for their interpretation of compliance. It's a big headache, especially where we are also dealing in industries that have conflicting data retention requirements.
If we didn't have EU-based customers with sufficient sales to justify the effort, there are a thousand and one other things that we could have better spent that time and energy on.
To quote the author:
> Then automate it. If you could automate the collection of the data in the first place then you definitely can automate the rest of the life cycle. There is no technical hurdle companies won’t jump through if it gets them juicy bits of data but as soon as the data needs to be removed we’re suddenly back in the stone age and some artisan with a chisel and hammer will have to jump into action to delete the records and this will take decades for even a small website. Such arguments are not made in good faith and in general make the person making them look pretty silly after all nobody ever complained about collecting data, in fact there are whole armies of programmers working hard to scrape data from public websites which is a lot more work than properly dealing with the life cycle of that data after it has been collected. So yes, it is a burden, no, the burden isn’t huge unless you expressly make it so but that’s your problem.
The difference between investment to collect data and investment to protect dat is there is no ROI for compliance (in any compliance domain) so the capital is not easily available.
Instead of punishing companies for existing in the universe and subject to the laws of thermodynamics, the most effective compliance regimes help transition companies proactively to lower the pain which will lower the cost to GDP and thereby angst from human beings.
The GDPR body won’t even answer basic questions like whether IP addresses need to be retained or not because of the competing requirement of the EU security directive.
They have had 23 years too to prepare for this change. And they own the privacy directives. You’d expect them to be better prepared themselves. But they are being kind of arrogant and unhelpful. I suspect because they know they did not make a perfect law and they will figure it out in case law later. This capriciousness is also super annoying.