Comment by eclipsetheworld

To quote you, both unethical players and US-based firms can afford to ignore such rules. There must be a difference between these categories, right?

I have single-handedly stopped breaches-in-progress by going up to a company and saying "this practice of yours isn't GDPR-compliant: here's what you can do instead". I've heard from people who (self-admittedly) have no idea what they're doing, fixing breaches in their organisations that they didn't know about because, while they don't understand computer technology, they do understand their GDPR obligations. GDPR works.

> ban default-public cloud buckets

GDPR Article 5 1(f) already bans those. It doesn't mandate MFA in particular, but it does mandate "protection against unauthorised or unlawful processing […] using appropriate technical or organisational measures". There's a reason that GDPR doesn't get more specific than that. If you're at all familiar with the Microsoft stack, you'll know that mandated security checklists often come at the expense of actual security (see also: AViD's Rule of Usability). There's no real workaround for basic cybersecurity competence, at least at the moment.

> a well-drafted Privacy Impact Assessment

Are you saying you don't design your software systems before implementing them, nor document them before they go into production? It's the work of half an hour to reformat process documentation into a Privacy Impact Assessment report. And yes, as anyone who's worked on safety-critical infrastructure knows, process and documentation save lives. This is not burdensome.

> or a 50-page DPA

I don't think I've ever seen a DPA that long: they're usually under 10 pages, and boil down to "you are the controller, we are the processor, we're not responsible for the data, you're responsible for instructing us to fulfil any data subject requests, we won't fulfil them on our own, we won't peek at the data, here's how we're keeping the data safe". If your DPA is 50 pages long, then I'd warrant there's a bloody good reason for it to be that long. Are you saying you'd go into a complex business arrangement with a service provider without paperwork clearly setting out the expectations for each party to the contract?

(Note that Article 28 does not require the DPA to be a separate document: it's absolutely fine for it to be part of the main contract, so long as the necessary boxes are ticked. Afaik the phrase "data processing agreement" does not appear in the text of the GDPR. Splitting these contractual clauses out as a separate document is a decision made by companies for their own convenience – much like how programmers split programs up into libraries and modules.)

> The DPO isn't an engineer.

Let the DPO requisition an engineer. Running the appropriate queries against the database is a 2 minute job, so round up to half an hour. It's the way Stack Exchange did such things in their first few years of operation (admittedly, pre-GDPR, but that's besides the point). If the engineers are interrupted more than twice a week, then you can have one of them spend a couple of days throwing the tooling together to let the DPO field the requests alone.

> In healthcare, patients care that their data is secure and the service works. They aren't losing sleep over "data portability."

That's actually a major concern for anyone with complicated healthcare needs, who plans on moving to the catchment area of another practice. The amount of time wasted trying to persuade a new doctor that yes, I do need that medication, no I can't have the cheaper medication, I'm allergic — no, I do not want to "check" that I'm allergic, I nearly died the last time… no my prescription for this one needs to halve, not double, it's lower because I'm discontinuing it… all vastly simplified if they can just read up on your electronic health record, which data portability guarantees they're able to do.