Except that as you say even if you're amazing and no one has a bad word to say about you then if you are audited you could be tripped over by any one of a number of things.
You may be taking steps to protect things, but this new legislation potentially puts stricter rules in place, if you have a long running software product that costs you a lot of money if you want to escape fines.
A lot of thought may of gone into it, but have they actually tried to apply it to a real piece of software to see what that means. All these abstract terms they use require interpretation and could easily be interpreted in multiple ways when it comes to different components of a piece of software.
Isn't it also the case that someone could request that you remove all data about them, irrespective of whether they like what you're doing or not? And thus if you're found to not have complied to some governing bodies interpretation of this then again - fined. Plus there are all sorts of grey areas. For example:
- Customer gives you data, gives consent
- You use it in ways agreed, that could involve a third party.
- Customer asks you to remove data you store on them.
- You removal all data
- Third party contacts them - customer complains, blames you because X(you)-is-the-only-organisation-I-shared-that-with. You then get slapped with a fine because you can't prove that it wasn't you.
Regarding the regulation having taken a long time to formulate and 27 member countries agreeing - well what is the point here? this is governments we're talking about of course it took a long time. But how many of those countries agreed after consulting with software development experts; not many, if any, I'd wager - thus they agreed to something without much thought for what the reality of implementing that would mean, it just looks good on paper.