a) companies had 2 years go comply. Furthermore, the guidlines of the European Commission are clear that the process should be gradual - inspect, write recommendations, small fines, bigger fines. Nothing like "20 million in June"

b) the law had to cover a lot of usecases and in order to do that concisely, it may sound vague in places. I also don't like (developers never like uncertainty), but there's established practice already in regulators and courts about what is considered "adequate", "appropriate", etc. I agree it could've been better though.

c) that is happening already, e.g. ICO (the UK regulator) has a pretty good set of guidelines and examples. There's also the process of "prior consultation" where if you are not sure about something, you go ask your regulator for a decision

d) this is exactly what the "proportionate", "adequate", etc. are in for. If you are a small company with 2000 data records, you are not posing a high risk for the rights and freedoms of data subjects and so most of the things are not a strict requirement

a) The problem with this is that this practical guide was released in November 29, 2017. And this is unofficial. EU should have released a practical guide two years ago in my opinion.

If the process is gradual the law should reflect that.

c) Good to hear :). Apparently it's this: https://ico.org.uk/for-organisations/guide-to-the-general-da... - I hope it's not written from the perspective of the UK legislation.

d) The law should clearly define what is required for smaller companies and what is not. There's some disagreement if this is the case in GDPR articles too.

Every country has a slightly different implementation of the directive, so I don't think the EU will have a single example to give.

However, GDPR is a regulation, not a directive. I haven't seen that countries pass their own implementation of it.

Each country-specific privacy org gets leeway around rules like legitimate interest.

a) The regulators had 2 years to write final regulations. They didn't do that either. Apparently it's too much to ask to have eg final guidance more than 3 months before the implementation deadline.

aa) In actuality, the ICO has made it clear that grace periods are not part of their regulation strategy. See eg speeches by senior regulators.

b) hahaha go spend a pile of cash on lawyers (we're at roughly $50k) who are familiar with 30-ish countries privacy regulators. American companies are quite unlikely to have a lead regulator.

d) proportionate and adequate are words that create giant legal bills, because the gdpr naturally declines to spell out in any concrete fashion what those mean.

a) It is not a big change from the 1995 regulation. It is incremental. There is a feeling that the previous regulation lacked teeth with the multinationals, some of whom have chosen to ignore it. Facebook have lost two cases over aggregating data in Belgium and Germany in the last month.

b) I don't know if you are familiar with European law, but what you see as vague is what others see as flexibility. Laws setting out the spirit of what you are trying to achieve tend to age better than a rule based approach.

c) They did [0]. Because of b) it is not part of the regulation itself.

d) They were under the existing regulation, so why wouldn't they be now? The 'vagueness' as you put it gives a judge considerable flexibility to see if the steps taken to safeguard privacy were appropriate to your size

edit:add reference [0]:https://ec.europa.eu/info/law/law-topic/data-protection/refo...

Well, I personally don't like laws to be vague.

> a) bring out regulation gradually instead of in a single big change like GDPR to have companies time to comply

GDPR wasn't announced yesterday. The time span between announcement and implementation date is over two years. Of course if you only start now there isn't much time left, but then that's your own fault.

GDPR was announced years ago, but this pratical guide was authored a few months ago. EU should have released an official guide two years ago.