Yes! You should!

This is the same as if your small, non-profit club deals with dangerous chemicals - it needs to make sure that the appropriate risk assessments are done, and safety information is available to users. Or any club dealing with children - it may need to make sure that the people have an appropriate background check.

Likewise, holding personal data is a risk to the people whose data is held. If you want to hold on to that data, your responsibility should include making sure that it is stored and used safely. If you don’t want to pay that cost, then stop holding it.

To use your metaphor of chemicals:

I see the current situation as if the soccer club is handling a 1L container of consumer-grade vinegar weedkiller, and is required to do pretty cumbersome things to document their use and keep it "safe". Many of them have consulted some firm or expert to get boiler-plate documentation, because even if fines are unlikely they are anxious about them.

At the same time, we have enormous commercial actors that handle millions of liters of radioactive wastewater in rusty containers. These companies have, for sure, spent a lot of money on "compliance". Some small improvements have surely been made, but the fundamental business practice among these actors of handling radioactive wastewater have not changed. Some "large" fines have been given, but they barley make a dent in the enormous profitability of handling these toxic things.

At least not yet, 3 years in. Maybe it will change in the future, and the big actors will fundamentally change their behaviour.

If that happens, I can agree that the weedkiller documentation is worth the cost, but so far I'm sceptical.

(Since this is an Apple thread, I think its interesting to compare the _real_ privacy gain of GDPR as a whole, vs Apple's simple tracking-popup)

What if one of the kids' parents is on a protection program? What if two years later you find to have the contacts details of a famous star/politician/CEO? What if one of the people on your lists gets in a controversy and you happen to have certain proof of events? And so on.

I'm trying to argue how apparently innocent data might very well be highly sensitive instead, but that without a proper framework to assess that, you never know.

That's a far cry from "they make these cookie banners necessary". Tracking people without consent on first visit is what makes them necessary. The anger is consistently misdirected at the people who violate the boundaries of others, not the law that requires consent for it.

> So let's say you have a printed list where kids and their parents signup with name and phone numbers, you should probably have a data integrity policy and someone akin to a DPO. In your small non-profit soccer club!

"We'll ask them if it's okay to store it, and once they leave the club we delete their contact information after N months." Now you have a policy. The person who does everything else, the person who is already secretary, receptionist, accountant, project manager, janitor, coach, counselor, CEO, is now also the PDO.

Human rights being trampled on with an ever increasing mesh of surveillance by big agencies and corporations as well as little informants are such gross violations, such a terrible trajectory we put society on, that mere complication and discomfort is not something that can ever trump them in my book. I would even say if you can't put food on the table without ignoring the human rights of others, just don't put food on the table -- because that's the negotiable part, while the preservation of human rights is not. We need human righs, we don't need ad-hoc low-effort soccer clubs. Like, at all. Just get a ball and some friends in that case.