Originally Posted by bigjdubb
How about no. We should deal with the important stuff before we worry about the piddly stuff.
I haven't paid any attention to the GDPR stuff, is it any good? I'm sure whatever they implement here in the US will be a great benefit to the companies collecting and selling the data and be another nail in the coffin for an individuals right to privacy.
Some pretty good stuff, here's a short summary.
Controllers of personal data must put in place appropriate technical and organisational measures to implement the data protection principles. Business processes that handle personal data must be designed and built with consideration of the principles and provide safeguards to protect data (for example, using pseudonymization or full anonymization where appropriate), and use the highest-possible privacy settings by default, so that the data is not available publicly without explicit, informed consent, and cannot be used to identify a subject without additional information stored separately. No personal data may be processed unless it is done under a lawful basis specified by the regulation, or unless the data controller or processor has received an unambiguous and individualized affirmation of consent from the data subject. The data subject has the right to revoke this consent at any time.
A processor of personal data must clearly disclose any data collection, declare the lawful basis and purpose for data processing, and state how long data is being retained and if it is being shared with any third parties or outside of the EEA. Data subjects have the right to request a portable copy of the data collected by a processor in a common format, and the right to have their data erased under certain circumstances.
Actually having regulations for storing data is probably the most important thing, almost every major "hacking" event was because of gross incompetence like storing emails, passwords etc in plaintext in the same database.