GDPR is all about being clear about the data you are collecting, what you are planning to do with it, and is what you are doing with it legitimate.
Lots of companies come unstuck because they fall into the trap of “let’s just collect everything and see what we can do with it”.
Or, I’ve got all this data I’ve collected legitimately. Who knew that you could sell it on to some data broken and make loads of money - let’s do that!
Or, I’ve collected all this data, I’m just going to keep it hanging around, oops I just put it on a public bucket and leaked it all. Hmm, I’m not even sure what data we had, have we just compromised a bunch of people? Who knows…
Also, GDPR compliance is forcing companies to collect and store data they wouldn't have been collecting otherwise, such as to be compliant in regards to child safety you must find out which users are children. Data itself can be seen as a somewhat radioactive commodity, requiring exquisite handling, and creating new reputational and security risks.
It's not supprising that many smaller companies are saying fuck this noise.
Lots of companies come unstuck because they fall into the trap of “let’s just collect everything and see what we can do with it”.
Or, I’ve got all this data I’ve collected legitimately. Who knew that you could sell it on to some data broken and make loads of money - let’s do that!
Or, I’ve collected all this data, I’m just going to keep it hanging around, oops I just put it on a public bucket and leaked it all. Hmm, I’m not even sure what data we had, have we just compromised a bunch of people? Who knows…