As much as I want to comply to GDPR, I think its articles difficult to understand, like many other law documents.
https://gdpr-info.eu/
As an engineer, I found it is very difficult to translate from the regulation text to code, to actual implementation.
Taking the following statement as an example:
https://gdpr-info.eu/art-5-gdpr/
>>>
(Personal data shall be) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
===
"In a manner". In what manner?
What's "appropriate security" and "appropriate technical measures"? How to interpret it? There seems to be much flexibility?
Every website has some security measures to protect data to certain degree. How do I know if that's "appropriate" or enough to meet GDPR?
Do I need symmetric encryption? Or Do I need asymmetric encryption? Which kind of crypto hash is considered "appropriate"? What if I use a database which is insecure by flaws, but I don't know or don't have the technical strength to know it? What if encryption on my backend caused performance penalty? What if I run a hosted, non-profit BBS based on certain open source BBS program that might be insecure? Should I patch the server with OS Update JKB8948, which is known to fix a security hole but opens another? is it an "appropriate measure"?
I found this regulation put too much burden on small businesses. Just to understand this GDPR text may require consulting cost. What if this law will be abused as a tactic to attack business competitions? I'm worried.
How do you understand this "security appropriateness" of the above text? How can you be sure your understanding is correct?
Look at any profession -- accounting for instance -- and they have all sorts of stuff like this. As an example, there's a concept in accounting of "materiality" - basically, something that's big enough to matter. Materiality is what lets fortune 500 companies present their financial statements rounded to the nearest thousand dollars. When you're talking about tens/hundreds of millions, individual dollars just don't matter.
Whether or not something is "material" is a matter of professional judgment, to be made in the context of a large body of professional knowledge, history, prevailing industry standards, economic/cost considerations, etc, basically that thing called "experience" that we so often toss under the bus in SV.
Perhaps the biggest difference between law and code, which are in many ways quite similar, is that law is highly reliant on context. For a court to determine whether "appropriate security" and "appropriate technical measures" are followed, they would solicit testimony from experts in the field (people like us) to determine whether they felt whether someone took "appropriate security". So ultimately it's a matter of opinion, but one made with context and expertise.
It works surprisingly well.
EDIT: For really complicated stuff, implementation is often delegated to an agency, such as the FCC, to create specific guidelines like you want. But this is the job of executive action, which is easy to change, not statute (on-the-books laws), which is much harder to modify once passed.