"It is GDPR's fault."
This comes down to how a regulation/law is enforced and potentially how that enforcement changes over time - if the regulation/law involves a significant change in behavior (I believe this is the case with GDPR), expecting the diverse range of organisations affected to comply fully on day 1, year 1 or even, I suspect in years 1-5, is likely to be unrealistic, so it should be eased in with case law building to support ideal practices across differing industries. I'm not suggesting that this removes the need to comply with GDPR, just how it should be enforced to avoid it being workable.
While I believe there are some poorly thought out parts of the GDPR (around IP addresses being an identity as while that is possible, for the majority of cases, an IP address becomes an identity only after a GPDR inquiry is raised to associate it with an individual...), the majority of the regulations provides a much clearer guide to what is in-scope, who is responsible and the consequences of things not being done correctly in a way that can be applied across the EU and I believe more widely if administered appropriately.
The cases we have seen so far are either clear violations or the interesting test cases that will define whether the framework can achieve it's stated goals or whether major revisions will be required to ensure it remains workable.
Biting the hand that feeds IT
