From the Sweedish Internetdagarna conference in 2019. I would highly recommend listening to the whole talk, the first half is a talk by Max Schrems covering many thought-provoking issues around privacy and the second half is a Question and Answer session with Max on his views of data privacy and how we approach data privacy. Well worth a listen to.
An interesting thing he brought up that I will paraphrase for my own discussions on the topic was around the concent, and how we handle in comparision to other areas of compliance.
“Did you do a survey of the auditorium you are sitting in? Did you check the foundations? If this building collapsed and you were injured, would it be your fault for not checking these things and consenting by sitting in your chair?”
because that is how we handle privacy, we produce a very long document, and give one option, agree or go away. They expect you to fully read and understand all the legalese and accept what that the company is going to do with your data, not have an expectation that the company is going to be responsible and design their systems to respect your privacy (privacy by design), only taking the minimum needed to for their specific purpose, limiting the transfer of data within an organization, and limiting access to the necessary data.
An analyst may need to know if you identify as male or female, and what age you are, and what you clicked on, but they don’t need your name, so the system should be designed to limit data to the minimum required for the specific purpose that the data subject has consented to.