What about if you need to report any payouts made to an individual as required by a tax authority? How are you also supposed to delete all their information and be in compliance with tax law? You can't say, "I paid <ANONYMOUS> 12,152.00" in 2018.

Edit:

Ok, looks like there is a clause for these scenarios:

"However, the further retention of the personal data should be lawful where it is necessary, for exercising the right of freedom of expression and information, for COMPLIANCE WITH A LEGAL OBLIGATION, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims."

Then there's:

"It should not apply where processing is based on a legal ground other than consent or contract. By its very nature, that right should not be exercised against controllers processing personal data in the exercise of their public duties. It should therefore not apply where the processing of the personal data is necessary for compliance with a legal obligation to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of an official authority vested in the controller."

And, in terms of technical burden at least it seems like they try to alleviate it somewhat...

"The data subject's right to transmit or receive personal data concerning him or her should not create an obligation for the controllers to adopt or maintain processing systems which are technically compatible"

It’s only a strawman if you assume that everybody knows the right way to do everything. There was nobody around when I did my start up to tell me how to do all of this stuff.

The entire point of GDPR is that it creates a set of requirements, and allows you to make decisions in your professional judgement to fill those requirements. This is no different to how management in any software company will present business requirements for the software you are to make, and request that you decide the technical implementation. That's your job if you're a developer.

As long as you're confident enough in your PII solution to be willing to present it in front of other software developers who have been called as expert witnesses and declare that it meets the GDPR requirements, you can pick any "right way" you like to meet those requirements.

If you think it's an unreasonable burden to have to make PII handling solutions that are robust enough that you can honestly defend them in court if challenged, maybe you shouldn't be handling PII. Like, at all.

I’m not confident in anything I’ve written ever to have it picked apart by a team of expert witness programmers. Maybe that means I have no business working at a startup. Maybe we should think about the implications of that.

>I’m not confident in anything I’ve written ever to have it picked apart by a team of expert witness programmers.

Then you shouldn't be handling PII, any more than you should be handling credit card details, genetic information or military intelligence.

>Maybe that means I have no business working at a startup. Maybe we should think about the implications of that.

The EU has, and has decided that having seen the alternative, it would rather just not have the startups. I think that's a reasonable position to take.

> Maybe we should think about the implications of that.

A good thing because it means startups stop playing fast and loose with my data. These are just growing pains. In a few years, enough stuff will be written online about best practices to stay GDPR compliant. The new guys can follow that.