It’s cute that you think the GDPR actually protects you and companies don’t keep your data rather than simply preventing you from seeing it, just like Reddit tried to do poorly.
The fun part is that our national privacy law beforehand wasn’t even that different. The most significant change that the GDPR brought, is that the maximum fine went up from 300,000€ to now 20 million € or 4% of annual turnover.
And yeah, that change made all the difference.
Now it’s a simple business decision to (mostly) comply with the GDPR, because there is a calculable risk+damages, which are higher than the cost for implementing the bare minimum in protections. They’re also definitely higher than the potential revenue, you could pull out of a single customer’s data.
I’ve seen some GDPR code. The easiest thing to do is delete anything associated with a deleted user after N days. Adding a condition on the country they told you they’re from without actual KYC is asking for trouble.
Sure aggregate anononymized data sticks around. Maybe the anonymization isn’t built right, but it isn’t literally your DNA data unless they really fucked up GDPR compliance.
They actually talk about opting you out of Research and discarding the sample (on the linked privacy page). The word delete isn’t explicitly used about the DNA data 🤔.
deleted by creator
It’s cute that you think the GDPR actually protects you and companies don’t keep your data rather than simply preventing you from seeing it, just like Reddit tried to do poorly.
It’s the best we’ve got ¯\_(ツ)_/¯
I know the companies I worked for - took it seriously.
The company I work for also takes it seriously.
The fun part is that our national privacy law beforehand wasn’t even that different. The most significant change that the GDPR brought, is that the maximum fine went up from 300,000€ to now 20 million € or 4% of annual turnover.
And yeah, that change made all the difference.
Now it’s a simple business decision to (mostly) comply with the GDPR, because there is a calculable risk+damages, which are higher than the cost for implementing the bare minimum in protections. They’re also definitely higher than the potential revenue, you could pull out of a single customer’s data.
I’ve seen some GDPR code. The easiest thing to do is delete anything associated with a deleted user after N days. Adding a condition on the country they told you they’re from without actual KYC is asking for trouble.
Sure aggregate anononymized data sticks around. Maybe the anonymization isn’t built right, but it isn’t literally your DNA data unless they really fucked up GDPR compliance.
I will caveat that a sufficiently motivated company might put in the hours to use at least billing info or shipping address. https://customercare.23andme.com/hc/en-us/articles/360004944654-What-s-In-Your-Account-Settings
They actually talk about opting you out of Research and discarding the sample (on the linked privacy page). The word delete isn’t explicitly used about the DNA data 🤔.