In all likelihood, the answer from most companies would be "sorry we don't yet have the ability to provide that data, it's on the roadmap, you'll have to wait".

At which point the data subject can report them to the regulator. Hopefully everyone receiving such a response will do so. Companies have had 2 years warning.

For most small business and startups this is no big deal as 1 or 2 reports to the regulator isn't going to trigger anything. For those companies of a certain size, the regulator might take note of 1,000 reports in the first week. I imagine some of those will have the regulator check if they have had a self-report from the company for non-compliance. Maybe then an email to colleagues at other ICOs across Europe.

I keep reading the "two years warning" notion on HN. While that might be technically correct, the real problem was that nobody UNDERSTOOD what GDPR meant (including the legislators) and so to this day, its practical implementation will to no small part depend on the iterative conclusions and learning various implementors (eg. companies) made in an arduous process since.

In other words, the first to think they were GDPR compliant might have had to redo a ton of work to adjust to more recent interpretations.

And let's not forget, for large orgs with complex infrastructure, this is a behemoth of an effort. There's been year long projects in the two large tech companies I've had insight to since.

And while I'm at it, let me comment on the frequently expressed notion of "if you've respected your users in the past, you'll be fine!". Just to pick one counter argument: the right to be forgotten. That can only be implemented thoroughly and in the way the users expect it to work (ie. delete everything but what you're legally required to retain) by finding a way to connect all user data so you know what to drop if need be. That is exactly the kind of action that's caused public outrage at big tech to begin with and it's not only potentially a huge effort, it also increases risk of abuse.

This all being said, I still think GDPR is a good idea at least in principle. And believe it or not, while everyone around me is really of compliance work, GDPR seems widely considered a good idea in principle across engineering in big tech.

> the real problem was that nobody UNDERSTOOD what GDPR meant (including the legislators

There we have to disagree. It's not like this is something new and untried.

GDPR is a development from long-standing, and now very well understood, Data Protection. The legislation seems mainly intended to modernise some of the definitions and scope (eg adding biometrics to PII), catch some newer practices, and make very plain and explicit that it doesn't just apply to EU companies.

In 1996 and 97 in the run up to the 1998 Data Protection Directive I recall a couple of common confusions and misunderstandings. Nothing like the ridiculously poor and simply incorrect reporting we have for this.

Any large org should have been fully compliant with DPA for years. They have to add extra mechanisms for explicit opt-in or deletion and get a little less time to retrieve full data and can't charge. That doesn't seem to need a "behemoth of effort", but not to say it's necessarily entirely trivial.

In other words they survived DPA with no apparent effect, yet it's >80% of GDPR with the same definitions. No one should be iteratively fumbling toward an unclear target at all. Even reading the UK ICO's old guide to 1998 Data Protection from a few years ago gets you most of the way there including understanding personal data.

But there are not massive differences between the laws we've had for many years - for a UK example PECR and DPA implement EU regulations and contain many of the same principles around lawful basis, limiting the amount of data that's held and the length of time it's held for, etc.

Anything that doesn't say "We will do just that! It might take up to 30 days" and asks for up to two extensions afterwards is not compliant, so this would be an exceptionally dumb response.

This is ridiculous, its not like they didn't have notice.

But that's the reality. At least they're working on it and the fact that a lot of companies massively overreact means they at least take data protection serious now.

You don't ignore a law for 2 years and then just after it comes into force say "at least we're working on it". Honestly I thought the GDPR was a bit of an over reaction when it came out 2 years ago but seeing how little respect companies have for our data over the last few weeks I've been convinced it was necessary.

As an engineer, with as much else is going on on a day to day basis it's not surprising. A lot of the vagueness around the GDPR still hasn't been resolved, nobody wanted to get a head start just to be told "oops, we actually meant this" and have wasted countless engineering/lawyer hours as a result.

You would only take that liberty if you didn't have much respect for the law and its ability to touch you. I suspect companies are a lot more careful with each years new IRS rules even though they don't yet have case law and are often issued on much shorter notice.

Companies directly lobby the laws that affect the IRS on a year-to-year basis and have a lot more knowledge about it. It is hardly as vague as this was. I very much do respect the laws when I can, but I'm a US citizen, and my projects don't make enough money for me to ultimately care about the GDPR/EU. I just blocked them for .. ever, probably. You're really targeting people here, sorry I disagree?

I am not speaking of you specifically because this is about the behavior of companies and not personal projects.

There are companies, OP being one (a subsidiary of Pinterest) that have presence in the EU and are essentially playing chicken with the regulators. Blocking users but keeping their data is not compliance, nor are dialogs telling users you plan to carry on as normal. Companies do not do this with the IRS because they would be afraid of the consequences.

> You don't ignore a law for 2 years

And that's only GDPR. We've had PECR (in UK) since 2002 and DPA since 1995.