(And please, ask questions. Any time. My DMs are open.)
Compliance effectively relies on turning potential problems into checklists with minimally-ambiguous questions. But if you don’t know what a good answer looks like, you have a problem.
If something is hard but we can at least clearly recognize correct solutions, we can write some kind of checklist for it.
"Poorly understood" is where much of privacy is.
For example, Google spent a lot of time and money on GDPR, for example. A lot. I personally spent hundreds of hours and I’m not cheap.
Lack of expertise means a lot of companies didn't know how to approach privacy regulation except as a paperwork exercise.
There is often not just one right answer because there is not just one human need. Good rule of thumb: if someone offers you a one-size-fits-all answer in privacy, it’s probably wrong somewhere.
Right now, people in industry don’t talk about near-misses, let alone vulnerabilities, let alone incidents, because they’re terrified of being sued.