> I don’t understand why any company would want the liability of holding on to any personal data if it wasn’t vital to the operations of the business, considering all the data breaches we’ve seen over the past decade or so.
They're OK with the liability exactly because of this very sentence. As you said, there's so many data breaches... so where are the company-ending fines and managers/execs going to prison?
Here in Japan the government cracks down on it hard. There are fines for every n users exposed and in extreme cases a company can be forced to stop trading for a period of days or weeks. Companies are so scared of this happening to them that a significant portion of orientation for new employees is spent on it. I don't have stats on how effective it is, but I do know that the public is less willing to accept it as they tend to elsewhere.
Is this true? KADOKAWA had a massive hack last year that leaked a large amount of sensitive user data and as far as I know has faced no legal repercussions. Obviously they took a decent financial and reputational hit, but that was just an effect of the hack itself, not any government intervention.
Wow good for them. I wish we took it that seriously in North America.
GDPR has fines:
Up to EUR 10,000,000 or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher; applies to infringements such as controller and processor obligations, security of processing, record-keeping, and breach notification duties.
Up to EUR 20,000,000 or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher; applies to infringements of basic principles for processing, data subjects’ rights, and unlawful transfers of personal data to third countries or international organisations.
These fines aren’t something you’re responsible for paying by merely being breached. These are imposed for misconduct in data handling.
It’s not very hard to handle customer data in a legally compliant way, that’s why you don’t see companies deciding against retaining data.
You can do everything right and still have a data breach, and in that case nobody is fining you.
Sure, in principle. Have you heard of any company that suffered any significant hardship (say, stock price plummeting, personnel reductions, bankruptcy) because of one of these fines?
Specific to the UK, there's a list of enforcement actions that the Information Commissioners Office (ICO) have taken:
https://ico.org.uk/action-weve-taken/enforcement/
Some went to prison, some were fined £14M and it's a mixture of small fry and big fry.
Big companies arent suffering any of those. But small businesses and individuals are. Just see the enforcement lists. They are fining small flower shops that sent emails to 20-30 people, some of whom subscribed to it decades ago, then forgot. Or small internet startups for missing one subscription record and whatnot. Like all other corporate moat-building efforts, GDPR has been successful in destroying small businesses in favor of big ones.