I suspect people would hate it even more if every company needed to go through an official gov GPDR certification. In the US, SOC2, and EU, ISO, are voluntary (not gov), and generally doesn't happen till most companies hit 8 figure revenue (and earlier in enterprise).

What I would expect to start happening is, similar to FedRAMP or UK's CHECK, govs will accredit third-party firms for auditing. Companies can - and typically do - already use these without gov's blessing for SOC2, ISO, yes, GPDR. Certification by a 3PAO is not indemnity, just a good faith positioning for when the enforcement agency gets a complaint and audits on related topics. (And in the case of inept management who doesn't cheap out, a wakeup.)

In areas like bank regulations, the gov is even more high-touch, and I really wouldn't wish that on the 400M businesses out there.

Regulation that is clear, in the sense that people can know whether they are complying with it or not and know how to become compliant with it. I explained the problems with GDPR at length now, I think it's pretty clear I don't want the problems.

I also want the national agencies to do what their job is — not their job according to me, their job according to the EU, which is defining certification that is acceptable to them. What about my expectations are unclear?

> In the US, SOC2, and EU, ISO, are voluntary

How are these relevant here? How does these being voluntary make GDPR less of a dumpster fire? GDPR is not volutary, in case that was unclear to you at this point.

So okay, other things — not the GDPR — are not dumpster fires, and how GDPR would not be a dumpster fire if it was different. Agreed. I did not say anything about SOC2 and ISO, and I did not say GDPR would not be a dumpster fire if it was different. My concern with GDPR is not it's acronym.

But the EU won't fix it, they never fix anything — they have no incentive to fix it, in fact, Eurocrats are incentivized to not fix it. They just keep smearing more crap on the crap sandwich.