GDPR... instead of thinking compliance and penalties, think about the GDPR, from its' origin, and time frame of 1995-2000. Think about the topic from two points of view: (1) people rights regarding "their" data, and (2) corporate responsibilities... for managing the access and safekeeping of trust.
Our story begins.... a little over 20 years ago (1997) when I (Phil) was IBM World-Wide Assessment Officer, assigned as the lead migration officer for IBM's migration to the Internet (SNA => IP), cohort of Edward Oguejiofor (father of service-oriented architecture & computing), on IBM's Security & Privacy Committee. With the dawn of social media and the proliferation of email, IBM was already keenly aware of what would eventually emerge as the GDPR, and IBM's corporate social responsibilty in this matter.
The biggest take-away from those early experiences exploring the potential liabilities (and benefits in terms of trust and more business), gave me an invaluable viewpoint, assuming the role of a consumer rights advocate in such discussions (and when establishing policies and protocols), while at the same time helping to set the precedences for the company's CSR (corporate social responsibilities).
Respectively, I typically start discussions about the GDPR, talking about "consumer rights & corporate responsibilities", as compared to managing compliancy, as a proactive approach. Using this method, it's much easier to forwardly address a future issue, as compared to trynng to fix something after the fact.
For the last 10+ years, my son Aaron and I have been on a mission to harness the potential of market research in support of philanthropy, addressing the conerns of security & privacy by just making all market research anonymous but invaluable by using psychometric and socio-geo-demographic tags, that funds people's favorite 501(c)3 and fuels medical & market research. Of course, that is easier said than done, and respectively, this is our third generation of this model for anonymous data.
We look forward to working with you to mitigate your potential GDPR liability and/or to allow you to leverage the potential to work with AnonymityInc.net™.