Can you think of any good technical regulations that do lay out requirements & obligations in a useful manner without being massively outdated, trivially bypassable, or some sort of hugely onerous 'one size swamps all'?

I mostly agree that the lack of concrete measures makes it horrible from a compliance view, but I'm not sure you can have both things, especially in a relatively immature area of law.

US environmental regulations tend to spell out technical requirements, particularly around emissions.

I would have been happier if they'd done something around setting up an administrative body that authors and updated regs.

>How do I know if a vendor is compliant? //

Did they ask for explicit permission to use your data? Do they provide the service if you only provide the data they actually need, rather than asking for a swathe of PII so they can sell it on? Do they provide info on how your data is stored, and who has access to it? Do they provide a way for you to view and/or delete all the PII they have on you?

You're right! Those are all critically important questions to ask! It's just possible that they might not be completely exhaustive, though.

Do they take reasonable measures to detect and inform me of a breach? Do they take reasonable measures to ensure it's me requesting data being deleted? Can they provide the same data about all Data Processors they make use of?

It's possible that the answers to this might not be easily and readily answered in every single potential case one might encounter when dealing with specialist vendors.

You're completely right to spell out those questions. It's just possible that there may be more to GDPR compliance - and certainty - than that in some cases.