Reminds me of PCI Compliance
I've already posted something similar on another article but wanted to reiterate this:
As per the title, this seems like the same old thing of PCI Compliance... I must have discussed it with over 100 different people and got varying views on what they think it is, what it involves, and what the (enforceable) penalties actually are.
But the bottom line was always that there isn't such a thing as "yes or no" to the question "are we compliant?". It was always a "we have a procedure for X", "we store data in Y way". Right down to... "we're trying our best". As long as you were vaguely aware of what was going on, or could refer to some procedure/material that pretended to cover it, happy days.
Totally unfit for purpose, totally unenforceable, total bollocks.
But of course, something that people can and will get dubious fines for. Something that "consultants" will make money from for giving advice - and said advice will vary depending on who you speak to. The people who came up with it will have been paid handsomely.
And the kicker? Absolutely no benefit whatsoever to the people it's aimed at protecting! Oooh there's now a double opt-in for that mailing list? There are *already* rules about having things like an "unsubscribe" link at the bottom of marketing emails (some companies don't give a fuck...because, oh yeah, nobody's enforcing it really). And clicking that, or having a second email address, wasn't exactly The Worst Thing Ever in my life. Yeah yeah it applies to more than just marketing emails. But not in a way that anyone is going to care about or see a noticeable positive difference in their lives. Feel free to give an example if you feel differently of course.
Biting the hand that feeds IT
