Since you want everyone to be fined, why not start with YCombinator? You can ask them for a list of all of their PII removal requests and to see proof that it was all removed.
I’m sure that’ll go over well.
Then maybe you can submit an Ask HN to see how many startups will self-report to you.
There are over 26M small businesses in the EU. You’d better get started...
By the way, GDPR isn’t just about misuse of PII, it’s about use of PII after it’s been asked to have been removed; and most sites use email addresses as usernames which are PII, so that’s all over the application logs, comments, etc. and when people submit a PII removal request, you can’t share or store the PII in the request itself, so better not use Slack, email, etc. and accidentally refer to the PII to be removed. If you do and need to follow-up again with clean-up, don’t refer to it then either, or you could get stuck in a endless loop of PII removal. Also, how do you know you removed the PII of the user who didn’t specify all of it I’m the removal request? You ask them for it- but does that allow the PII they sent at that point to be kept? I don’t know!you know why? Because it’s not fucking defined in the law clearly enough. What if they requested removal of data that wasn’t their PII?
I’m sure that’ll go over well.
Then maybe you can submit an Ask HN to see how many startups will self-report to you.
There are over 26M small businesses in the EU. You’d better get started...
By the way, GDPR isn’t just about misuse of PII, it’s about use of PII after it’s been asked to have been removed; and most sites use email addresses as usernames which are PII, so that’s all over the application logs, comments, etc. and when people submit a PII removal request, you can’t share or store the PII in the request itself, so better not use Slack, email, etc. and accidentally refer to the PII to be removed. If you do and need to follow-up again with clean-up, don’t refer to it then either, or you could get stuck in a endless loop of PII removal. Also, how do you know you removed the PII of the user who didn’t specify all of it I’m the removal request? You ask them for it- but does that allow the PII they sent at that point to be kept? I don’t know!you know why? Because it’s not fucking defined in the law clearly enough. What if they requested removal of data that wasn’t their PII?