Not changing policy means escalating fines (those 4% of global revenue maximum are nothing to sneeze at, and so far compliance was the cheaper route) but also, at some point, the inability to operate in the EU.

Even if a company only does the bare minimum required under GDPR, total deletion of data on request is part of that.

But these more severe measures are either 5-10 years away, or never going to happen at all (the latter part is my assumption, not claiming it as a fact).

IMO the corporate board of directors will coast on the situation for as long as possible and only then will we see some changes, don't you agree?

> IMO the corporate board of directors will coast on the situation for as long as possible and only then will we see some changes, don't you agree?

There are a few cases already with fines around 2.8% of revenue, and those fines don't mean the DPA will go away. The expectation is that these fines are paid _and_ the reason for the fine is resolved.

Turnover in the 2.8% case (Taxa 4x35 in Denmark) was from Fall 2018 (start of investigation) to March 2019 (when the DPA reported the incident to the police and "recommended" that fine). Sadly the only follow-ups on the case that I could find are behind paywalls (so I can't read them), but apparently the DPA isn't done with them yet.

It's all a matter of exercising pressure, and it seems that the authorities are willing to do that.