In general I agree with the sentiments in this article. I've probably spent a total of three to four days reading around the GDPR and I don't really see what's special about this law other than it's imposing decent standards on what was in effect a wildly unregulated industry in people's personal data. If you have a broad distrust of any government activity then I suppose any new laws with "fines up to €X" might feel like "I run a small site on a Digital Ocean droplet and I'm at risk of a €2m fine out of the blue." But that doesn't make it true.
There is nothing - and I do mean nothing - written into the GDPR that requires any warnings of any kind, or places any limits on fines, except for $10/$20 million or 4% of revenue, whichever is greater. Period. A multimillion-dollar fine without warning for a first, minor violation is perfectly lawful under GDPR. The idea that "yes it says that but we can trust EU regulators to not assess large fines against foreign companies, even though they would benefit handsomely from them" rings hollow to me.
> I don't really see what's special about this law
The key change is the fairly explicit punishments and apparent intent to hand them out for non-compliance. A lot of older regulations get considered by companies but the issues relegated, officially or otherwise, to "yeah, we'll apologise and fix that when someone notices" which might not be a good way to manage the risk management after next Friday.
> ... might feel like "I run a small site on a Digital Ocean droplet and I'm at risk of a €2m fine out of the blue." But that doesn't make it true.
Exactly. A lot of the unhelpful hysteria is being drummed up by consulting companies trying to sell there services to help others assess and/or manage their GDPR compliance: they are stoking the fears to improve sales.
The rest is coming from people who don't want to lose control of some of what they consider to be _their_ data. From a business perspective this is usually "I've collected it or pad for it, I should be able to keep it / sell it / use it, this is unfair, wa waa waaaaaa" and from a technical perspective many of us data people have flinch reactions to any idea of hard-delete or un-rollback-able update operations (they are not really impossible to rollback of course, anyone sensible is building considerations for backup retention policies into their procedures, but rolling back is less likely to be simple and can only be done during that retention window).
The amount of discretion and lack of clarity in the penalties is part of the problem. It opens you up to risk based on the whims of politics and the regulators and increases uncertainty. Laws should be clear, limited, and understandable - this is not.
That Varonis link gets posted quite a bit, but it drastically over simplifies things and even tries to poke fun at some aspects of the legislation. The ICO site is a much better read for this.
I am concerned that the effect of this legislation on the private individual is the opposite of the stated intention.
People are being forced to sign agreements which jeopardise the natural rights to their data which they would otherwise have.
One example: a friend who has a very pretty daughter was asked by her school to give them the right to film her and to use any and all such recordings as they see fit for 50 years even after she leaves the school.
This feels very wrong on just about all the conceivable levels.
> I've probably spent a total of three to four days reading around the GDPR and I don't really see what's special about this law other than it's imposing decent standards on what was in effect a wildly unregulated industry in people's personal data
We are still waiting for the first court battles that will help determine how GDPR is actually enforced in practice. Until then being in compliance with GDPR is gonna be like herding invisible cats, and it's likely well intentioned people will get burned and OP ends up with major egg on his face within a years time. I want to drink the EU koolaid as much as the next person, but that's just naive.
Reminder: you have to legally comply with every letter of the GDPR, not just the TLDR version. Saying "but we implemented the TLDR version" is not a legal defence.
I remember back in the day there was no such concept on the internet. Your identity didn't translate to anything in real world. At somepoint people started to treat it as 'real world but on the computer' instead of thinking about it totally radically new way about 'self'/'identity' ect. People thought of their internet profiles as their own self.
Intenet age was killed even before it started. Endless promise of internet to free human beings was thwarted by paranoia, censorship, laws ect.
The GDPR gets so much hate because it hits so many businesses where it hurts: data. GDPR "simply" gives you guidelines on how you can handle data from people within the EU. And that that data cannot be handled so liberally as it has been before. Of course that's annoying from a business perspective, but from an individuals privacy perspective, it's fantastic.
It's not that it's annoying, it's that I literally cannot answer "are we GDPR compliant?". If you search for GDPR IP address, you get a ton of different opinions. Do I need to sanitize logs? How does that fit in with the requirements for security compliance we are also subject to?
At the end of the day, I am the one person who has to answer that question/is responsible for being GDPR compliant. I've spent hours doing research, figuring out what we need to do and implementing it -- and it's a hollow victory because even though I've said yes and have 100s of articles/white papers/opinions that back up the decisions I've made, the real answer is still "I don't know".
And I absolutely know I'm not alone in this. I got GDPR compliance dropped on my lap because I did security compliance -- if you contrast NIST 800-53/800-171 against GDPR you'll see why people are pissed off. One has clear guidelines with enough room for evolving best practices written by obviously competent/experienced professionals, the other is written as basically "we'll know it when we see it".
I think it gets "hate" from people who don't have much data but they still have to implement all the requirements, which go beyond than their own data storage. Ad-supported websites are probably the most common case here, even if the sites don't store any data themselves.
I rather think it gets a lot of hate because it leaves a lot to the discretion of the regulators. Overall, the SMEs I talk to don't have a problem with regulating data (most think it will pop the gangrenous ad-tech bubble). It's the lack of predictability that bothers them.
Hate? Try to think of it from a business in the US perspective that wants to know why they have to (for lack of a better way to put it) bogu to an entity that does not represent them in any way. And the fact that you might sell something or service customers in Europe does not mean you should have to answer to any rules that they setup either. Should the town that I live in and operate a web site out of be able to have rules in place and then go after citizens in the EU for not abiding by them?
And actually it's one step further since many of the procedures and rules are being taken broadly and universally even against entities (businesses and us persons) that aren't even covered by the GDPR.
And no it's not like 'oh if you want to sell a car in Europe you need to certify this and that' that is not the same thing. Why? Well for one thing the golden rule. If you want that car allowed through the port you need to do what they tell you to do or they have a right to not allow it on their land. In this case their citizens are utilizing US websites and therefore it's on them to determine if they feel the service or product they are getting is fit.
I am referring to US businesses that don't have an office or physical presence in Europe. To those that do the 'golden rule' applies.
Here in UK I have been receiving about 5-10 emails a day from various companies - most of whom I don't remember - telling me I need to sign up again so they can keep my details and keep spamming me.
Same here, finally recruitment agencies will unsubscribe me from jobs offers that I'm totally not interested in. I used to get a few emails per week asking me if I'm interested for relocation and work in [insert programming language I have no experience in]. I asked them many times to stop emailing me this crap, they never did until this week :)
I bought something on Ebay and the Ebay seller has been spamming me with offers ever since. I didn't sign up to any newsletter. I was not aware that such thing would even be possible with Ebay.
Now they sent me a message telling me that I should sign up again on their website to continue getting their messages. No thanks.
Yes same for me, and I think it's a great thing because my information leakage risk will shrink significantly in the next weeks due to companies deleting data they have from me that they should've deleted long ago in many cases.
I got a mail from a sports club I'm pretty sure I've never visited asking me to please reply to remain subscribed. That was weird, wonder if I visited their stadium once for a concert or if someone just misstyped their mail.
I have a lot of companies emailing me saying I can opt-out, I thought that was the opposite of what the law is saying?
Eg. If you continue using our service after 23th of May you automatically agree to the new terms. Huh?
I'm also deluged with them. And have to go looking for half of them in the Spam folder. Deep joy.
The reason being that in the past I've picked up some really nice contracts from recruitment agencies phoning or emailing me out of the blue, so I want to remain contactable.
So, yeah. Great. Thanks for the massive proxy unsubscribe request.
Constantly trying to whitewash over the fact that GPDR is a huge pain in the ass and will involve a lot of work for a lot of companies is what I don't understand, but Mr. Mattheij has been doing it for months, so that's evidently very important to him for some reason.
It's chewed up a few weeks of active development time putting in features for purging and exporting anything that looks like it might be personal information, plus a considerable magnitude more hemming and hawing and trying to figure out if, how and to what extent the regulations apply to us, and how the customers that we sell our products interpret the regulations and what features they require for their interpretation of compliance. It's a big headache, especially where we are also dealing in industries that have conflicting data retention requirements.
If we didn't have EU-based customers with sufficient sales to justify the effort, there are a thousand and one other things that we could have better spent that time and energy on.
One might argue that your company doing the "custodial" data work over the past few weeks and building in the mechanisms in order to handle that data in a more nuanced way is something that should have been done beforehand, and that the fact that you had to take time out to look at it means the law is doing exactly what its drafters wanted it to do.
Of course there are 1001 things YOU deem more important. All that says to me is that your interests and priorities are not aligned with how people in the EU want their data handled.
The WHOLE POINT of GDPR is that many companies have continually pushed PII data handling down their list of priorities. As a result, the EU has decided to step in and use a law to bring it back up the list.
I don't think he whitewashes that it's a burden. But he does try to address some of the panic and hysteria.
I care about privacy. Perhaps Mattheij does as well, and that's why this is important to him. If you agree with the spirit of the legislation, then I think you should also consider this a great opportunity to do the right thing, instead of a hassle.
Oh man, the rest of us are so sorry that you are now required to responsibly handle personal information.
To quote the author:
> Then automate it. If you could automate the collection of the data in the first place then you definitely can automate the rest of the life cycle. There is no technical hurdle companies won’t jump through if it gets them juicy bits of data but as soon as the data needs to be removed we’re suddenly back in the stone age and some artisan with a chisel and hammer will have to jump into action to delete the records and this will take decades for even a small website. Such arguments are not made in good faith and in general make the person making them look pretty silly after all nobody ever complained about collecting data, in fact there are whole armies of programmers working hard to scrape data from public websites which is a lot more work than properly dealing with the life cycle of that data after it has been collected. So yes, it is a burden, no, the burden isn’t huge unless you expressly make it so but that’s your problem.
There's certainly no need to panic. The article doesn't address that apart from mindless hysteria there are some very real issues with GDPR. It doesn't have to of course because as the title suggests it's more about dispelling panic than about giving concrete advice.
However, many real-life problems seemingly haven't even been considered by legislative bodies. In GDPR support forums questions like these have been routinely asked in recent months and there isn't always a clear, dependable answer:
- How will I be able to operate my small company website in the future in a legally compliant manner? Some companies even consider shutting down their websites completely and - of all things - only using a Facebook page in the future. Hence, ironically we might very will see GDPR actually benefitting companies like Facebook at the detriment of small companies that consequently won't have complete ownership of their content anymore.
- How exactly does a privacy policy have to be worded so I don't get sued on day 1?
- In which way will I still be able to store address data for contacting my existing customers?
- Will I still be able to use anti-spam and security plugins for my website? These tools might store users' IP addresses, which in some jurisdictions are considered personal data.
- Can I still load resources like Google Fonts from CDNs or do I now have to host those myself?
This doesn't consider some factors that dictate how strong any company will experience their firehose of GDPR requests to be:
- how incentivised people are to make GDPR subject access requests of the company (how angry, confused, hostile curious they are)
- how easy it is for them to make requests (entirely manual vs. online service)
- wildcard factors (internet flash mobs bent on vengeance against a corporate)
There are also possible business models that might incentivize technology players to deliberately ramp up GDPR requests.
For example, unsuccessful candidates applying for a job at a company could forward their rejection email to a bot. The bot parses the details and fires a GDPR access request in to the HR department. The candidate gets back a formatted dump by email of all sorts of recruitment data, including interview notes, etc. There are obvious ways to monetise a service like this, hence incentive for someone to do it. Recruitment at a large company means engaging with thousands of people and then rejecting them. It is natural for people to have bruised feelings, and also to be curious about why they were not hired. A GDPR button lets them indulge their curiousity and start digging in to interview notes etc.
Naturally GDPR requests like this won't flood a company on the first day of GDPR. But the internet is a turbulent place.
I was hoping for a nice respite to the anti-GDPR stuff we've seen recently, but this is just naked propaganda. In particular, the sentence:
"the GDPR has the potential to escalate to those levels but in the spirit of the good natured enforcers ..."
The author seems to have the idea that bureaucratic EU systems are inherently "good" and that even if things look bad on paper, it will be fine because they are "good" people. This is not how the legal system or legal compliance works.
I'm an attorney who's spent the last year or so working on GDPR compliance for a US SaaS provider some of whose clients have EU employees. My understanding is that it's true that EU enforcement is more in the spirit of "how can we get you compliant?" before doling out fines (vs. the US where it can be more "let's make an example of this company by hitting them with a big fine" and scaring others into compliance). I also agree that the authorities aren't going to be handing out 7 figure fines like candy, both because it's not their historical approach and because they don't have the resources to fight too many of those battles. I want to say I read that the Irish authority's annual budget is around $9M. Theirs is higher than most and Ireland is where most of the US tech giants are established due to tax laws. That said, I think to say that GDPR compliance is simple because it's text is fairly readable or that EU data protection law is simply a matter of transparently respecting people's personal data and not being a bad actor as to privacy is an overstatement. For example, the ePrivacy Directive, most known for prompting all those cookie consent banners, can be incredibly complex to comply with. Each member state has implemented that Directive in different ways. Look at this example https://ico.org.uk/media/action-weve-taken/mpns/2013732/mpn-... where Honda sent out emails to its 350k database simply trying to confirm continued interest in being on their list and got a 13k euro fine for their troubles. I don't know all the facts, but from the document, it doesn't appear that Honda got the fine because they were recalcitrant or being terrible actors. And if the fine is proportionate to the offense (not to the size of the violator), then 13k euro might be levied against a small company for whom it is a significant penalty (not to mention costs, legal fees, etc. in dealing with it).
It's like if a new law were introduced requiring a license in order to ride a bike, to make sure people don't hit pedestrians or bike dangerously in the road. The license is free, it just takes a weekend to go take a written test and demonstrate that you can safely ride a bike. Some people who would pass but can't be bothered to give up a weekend would instead choose to just stop biking. It's an unavoidable consequence of introducing a friction where there wasn't one, and there's no way to carefully target or wordsmith the requirement so that this doesn't happen.
I think people miss that there is a very large qualitative difference between "no law" and "law". Even a very carefully targeted law will still have the effect, on the margin, of preventing or stopping compliant activities. But in the case of something like privacy, or control of data about you, maybe that's worth it in order to stop the noncompliant activities.
On a non-hypothetical topic: does anyone have a good resource on the requirements with regard to backups? That's one of the larger technical sticking points for me - do we have to delete from our backups as well on such a request?
Because the reverse also hold: if we remove the need for driver‘s licenses for cars, more people will be able to drive.
The fallacy is IMO that many people always consider the status quo ante as the perfect balance. Because we have gotten used to driver‘s licenses.
So the argument that new regulation stifles some non-harmful behaviour is a truism, but doesn‘t really contribute anything, unless it comes with numbers.
It's not like that at all; some of us are small business owners who don't have to take any action, because we already were not mishandling PII and already had a PII-handling section in our data-handling policy.
Clearly an emotional topic. The fact remains, GDPR is a well-meaning but fuzzy law, with implications that cannot be foreseen at this point in time.
To remove some of the uncertainty and automate some of the compliance steps, we built a data discovery AI tech that scans corporate data to answer:
* "Do we even store personal information?"
* "Where do we keep it?"
* "How do we make sure PII is consistently stored only in the designated places?"
This may seem trivial to a micro-business that runs on a handful of database tables, which I think is where the author is coming from. But for larger companies, even understanding what's where and why (backups? emails? cloud storages?) is a highly non-trivial—if ultimately rewarding—endeavour.
> The GDPR will require me to hire people and my entity is too small to be able to afford this
Q: Does my business need to appoint a Data Protection Officer (DPO)?
A: DPOs must be appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data (Art. 37). If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.
> • The GDPR will enable anybody to be able to sue me, even from abroad
> The GDPR does not have this effect, but you may be interested to know that anybody can sue you or your business for whatever reason strikes their fancy. This is a direct consequence of doing business and has nothing to do with a particular law. What the GDPR allows private individuals to do is to contact their regulators and to complain if you decide to ignore their requests.
That's not exactly correct. Art. 79 of the GDPR allows people to sue directly for violations of GDPR although it's very non-specific.
This article actually points out my philosophical problem with GDPR. In one point he says you have to be compliant if you want to do business in the EU. In another he observed that it is difficult (maybe impossible) to block EU folks from coming to a web presence. It’s the expansive reach that bugs me.
I’ll note that for real businesses this is just a thought excercise, but it’s one I keep coming back to. What if some less reasonable entity attempted to regulate in this way?
> I was actually surprised by how easy it is to read it
there's a whole two hundred post debate around here whether ip are or aren't pii on their own, with the wast majority holding the wrong position.
there's a whole branch of gdpr that people aren't considering, which is not related to software but to your business (i.e. your mail calendar). you also need a privacy policy if you are receiving phone calls. did you know that?
there's a whole bunch of implication on how liable you are about holding unwanted personal information, including unwanted medical personal information i.e. "hi I saw your gazebo renting service, I'm organizing an event but I am unable to walk due a permanent disability and requiring a ramp is present to access your gazebo, is that so?"
there is a huge surface area for uncertainty, up and including 'best practices' that are a constantly shifting target.
edit: to clarify the calendar part: if you have a meeting with someone, that links an identity with a location. that's why it's an issue, even without considering the address book, which is another issue by itself.
Bottom line, DONT store/sell/mangle with personal data of your users unless you are able to fulfill this. I was thinking a bit about having an online store:
- make login as it is on Hacker News, you dont need email
- once user has selected and payed the goods, request sending address and contact (phone/email/whatever)
- ship it, print the requested / store into cold store (it is not that hard, you do it for bitcoins, right?), delete everything except username and password (and maybe the attached goods) from server
The described process will pass the GDPR Nightmare Letter in 10 minutes (to write a general reply) that you sent to everyone requesting.
This is what traditional "physical" stores do, not the large chains, the traditional, one employee, family store. And it works.
For everything else require consent, including tracking, but think very hard if you need anything else as it will complicate your business progressively.
I really dont understand all the fuss about the GDPR, if you explain (and prove) this to ICO, I would really like to see who will punish you for that.
My (EU) clients fall into two camps. Those who haven't had to do a single thing to be GDPR compliant because they were already following the various data protection and privacy laws, and the ones panicking.
The latter group say things like "this is ridiculous, they're making us change so much" but never have an answer to the fact that they're already violating PECR or the Data Protection Act.
Whatever one thinks about the subject matter, the writing in this piece is awful. You can get the substance of what the writer is saying by skipping 90% of the content. Moreover, the tone is talking down at the audience - unless that audience is already excited about gdpr. This comes across as not being interested in convincing anyone but in cheerleading their position.
[+] [-] frereubu|7 years ago|reply
The UK's ICO also has a good structured summary: https://ico.org.uk/for-organisations/guide-to-the-general-da...
In general I agree with the sentiments in this article. I've probably spent a total of three to four days reading around the GDPR and I don't really see what's special about this law other than it's imposing decent standards on what was in effect a wildly unregulated industry in people's personal data. If you have a broad distrust of any government activity then I suppose any new laws with "fines up to €X" might feel like "I run a small site on a Digital Ocean droplet and I'm at risk of a €2m fine out of the blue." But that doesn't make it true.
[+] [-] downandout|7 years ago|reply
[+] [-] dspillett|7 years ago|reply
The key change is the fairly explicit punishments and apparent intent to hand them out for non-compliance. A lot of older regulations get considered by companies but the issues relegated, officially or otherwise, to "yeah, we'll apologise and fix that when someone notices" which might not be a good way to manage the risk management after next Friday.
> ... might feel like "I run a small site on a Digital Ocean droplet and I'm at risk of a €2m fine out of the blue." But that doesn't make it true.
Exactly. A lot of the unhelpful hysteria is being drummed up by consulting companies trying to sell there services to help others assess and/or manage their GDPR compliance: they are stoking the fears to improve sales.
The rest is coming from people who don't want to lose control of some of what they consider to be _their_ data. From a business perspective this is usually "I've collected it or pad for it, I should be able to keep it / sell it / use it, this is unfair, wa waa waaaaaa" and from a technical perspective many of us data people have flinch reactions to any idea of hard-delete or un-rollback-able update operations (they are not really impossible to rollback of course, anyone sensible is building considerations for backup retention policies into their procedures, but rolling back is less likely to be simple and can only be done during that retention window).
[+] [-] dantheman|7 years ago|reply
[+] [-] cbg0|7 years ago|reply
[+] [-] SagelyGuru|7 years ago|reply
People are being forced to sign agreements which jeopardise the natural rights to their data which they would otherwise have.
One example: a friend who has a very pretty daughter was asked by her school to give them the right to film her and to use any and all such recordings as they see fit for 50 years even after she leaves the school.
This feels very wrong on just about all the conceivable levels.
[+] [-] doktrin|7 years ago|reply
We are still waiting for the first court battles that will help determine how GDPR is actually enforced in practice. Until then being in compliance with GDPR is gonna be like herding invisible cats, and it's likely well intentioned people will get burned and OP ends up with major egg on his face within a years time. I want to drink the EU koolaid as much as the next person, but that's just naive.
[+] [-] AnabeeKnox|7 years ago|reply
[+] [-] dominotw|7 years ago|reply
I remember back in the day there was no such concept on the internet. Your identity didn't translate to anything in real world. At somepoint people started to treat it as 'real world but on the computer' instead of thinking about it totally radically new way about 'self'/'identity' ect. People thought of their internet profiles as their own self. Intenet age was killed even before it started. Endless promise of internet to free human beings was thwarted by paranoia, censorship, laws ect.
[+] [-] mrleiter|7 years ago|reply
[+] [-] thomaskcr|7 years ago|reply
At the end of the day, I am the one person who has to answer that question/is responsible for being GDPR compliant. I've spent hours doing research, figuring out what we need to do and implementing it -- and it's a hollow victory because even though I've said yes and have 100s of articles/white papers/opinions that back up the decisions I've made, the real answer is still "I don't know".
And I absolutely know I'm not alone in this. I got GDPR compliance dropped on my lap because I did security compliance -- if you contrast NIST 800-53/800-171 against GDPR you'll see why people are pissed off. One has clear guidelines with enough room for evolving best practices written by obviously competent/experienced professionals, the other is written as basically "we'll know it when we see it".
[+] [-] zerostar07|7 years ago|reply
[+] [-] omginternets|7 years ago|reply
I rather think it gets a lot of hate because it leaves a lot to the discretion of the regulators. Overall, the SMEs I talk to don't have a problem with regulating data (most think it will pop the gangrenous ad-tech bubble). It's the lack of predictability that bothers them.
[+] [-] Sangermaine|7 years ago|reply
So many people are pro-privacy until it affects their bottom line.
[+] [-] gist|7 years ago|reply
Hate? Try to think of it from a business in the US perspective that wants to know why they have to (for lack of a better way to put it) bogu to an entity that does not represent them in any way. And the fact that you might sell something or service customers in Europe does not mean you should have to answer to any rules that they setup either. Should the town that I live in and operate a web site out of be able to have rules in place and then go after citizens in the EU for not abiding by them?
And actually it's one step further since many of the procedures and rules are being taken broadly and universally even against entities (businesses and us persons) that aren't even covered by the GDPR.
And no it's not like 'oh if you want to sell a car in Europe you need to certify this and that' that is not the same thing. Why? Well for one thing the golden rule. If you want that car allowed through the port you need to do what they tell you to do or they have a right to not allow it on their land. In this case their citizens are utilizing US websites and therefore it's on them to determine if they feel the service or product they are getting is fit.
I am referring to US businesses that don't have an office or physical presence in Europe. To those that do the 'golden rule' applies.
[+] [-] hartator|7 years ago|reply
[+] [-] Malarkey73|7 years ago|reply
Fantastic.
[+] [-] akerro|7 years ago|reply
[+] [-] vidarh|7 years ago|reply
[+] [-] Hamuko|7 years ago|reply
Now they sent me a message telling me that I should sign up again on their website to continue getting their messages. No thanks.
[+] [-] Cakez0r|7 years ago|reply
[+] [-] ThePhysicist|7 years ago|reply
[+] [-] SiempreViernes|7 years ago|reply
[+] [-] SomeGermanGuy|7 years ago|reply
Super basic stuff.
[+] [-] brynjolf|7 years ago|reply
[+] [-] timrichard|7 years ago|reply
The reason being that in the past I've picked up some really nice contracts from recruitment agencies phoning or emailing me out of the blue, so I want to remain contactable.
So, yeah. Great. Thanks for the massive proxy unsubscribe request.
[+] [-] unknown|7 years ago|reply
[deleted]
[+] [-] megaman22|7 years ago|reply
It's chewed up a few weeks of active development time putting in features for purging and exporting anything that looks like it might be personal information, plus a considerable magnitude more hemming and hawing and trying to figure out if, how and to what extent the regulations apply to us, and how the customers that we sell our products interpret the regulations and what features they require for their interpretation of compliance. It's a big headache, especially where we are also dealing in industries that have conflicting data retention requirements.
If we didn't have EU-based customers with sufficient sales to justify the effort, there are a thousand and one other things that we could have better spent that time and energy on.
[+] [-] nhf|7 years ago|reply
[+] [-] georgebarnett|7 years ago|reply
The WHOLE POINT of GDPR is that many companies have continually pushed PII data handling down their list of priorities. As a result, the EU has decided to step in and use a law to bring it back up the list.
[+] [-] snom380|7 years ago|reply
I care about privacy. Perhaps Mattheij does as well, and that's why this is important to him. If you agree with the spirit of the legislation, then I think you should also consider this a great opportunity to do the right thing, instead of a hassle.
[+] [-] jonathanyc|7 years ago|reply
To quote the author:
> Then automate it. If you could automate the collection of the data in the first place then you definitely can automate the rest of the life cycle. There is no technical hurdle companies won’t jump through if it gets them juicy bits of data but as soon as the data needs to be removed we’re suddenly back in the stone age and some artisan with a chisel and hammer will have to jump into action to delete the records and this will take decades for even a small website. Such arguments are not made in good faith and in general make the person making them look pretty silly after all nobody ever complained about collecting data, in fact there are whole armies of programmers working hard to scrape data from public websites which is a lot more work than properly dealing with the life cycle of that data after it has been collected. So yes, it is a burden, no, the burden isn’t huge unless you expressly make it so but that’s your problem.
[+] [-] BjoernKW|7 years ago|reply
However, many real-life problems seemingly haven't even been considered by legislative bodies. In GDPR support forums questions like these have been routinely asked in recent months and there isn't always a clear, dependable answer:
- How will I be able to operate my small company website in the future in a legally compliant manner? Some companies even consider shutting down their websites completely and - of all things - only using a Facebook page in the future. Hence, ironically we might very will see GDPR actually benefitting companies like Facebook at the detriment of small companies that consequently won't have complete ownership of their content anymore.
- How exactly does a privacy policy have to be worded so I don't get sued on day 1?
- In which way will I still be able to store address data for contacting my existing customers?
- Will I still be able to use anti-spam and security plugins for my website? These tools might store users' IP addresses, which in some jurisdictions are considered personal data.
- Can I still load resources like Google Fonts from CDNs or do I now have to host those myself?
[+] [-] beachy|7 years ago|reply
- how incentivised people are to make GDPR subject access requests of the company (how angry, confused, hostile curious they are)
- how easy it is for them to make requests (entirely manual vs. online service)
- wildcard factors (internet flash mobs bent on vengeance against a corporate)
There are also possible business models that might incentivize technology players to deliberately ramp up GDPR requests.
For example, unsuccessful candidates applying for a job at a company could forward their rejection email to a bot. The bot parses the details and fires a GDPR access request in to the HR department. The candidate gets back a formatted dump by email of all sorts of recruitment data, including interview notes, etc. There are obvious ways to monetise a service like this, hence incentive for someone to do it. Recruitment at a large company means engaging with thousands of people and then rejecting them. It is natural for people to have bruised feelings, and also to be curious about why they were not hired. A GDPR button lets them indulge their curiousity and start digging in to interview notes etc.
Naturally GDPR requests like this won't flood a company on the first day of GDPR. But the internet is a turbulent place.
[+] [-] xtrapolate|7 years ago|reply
> "This post is an attempt to calm the nerves of those that feel that the(ir) world is about to come to an end"
This post is actually a single person's viewpoint, a mere speculation of how things may or may not turn out to be. Your mileage may vary.
[+] [-] AnabeeKnox|7 years ago|reply
"the GDPR has the potential to escalate to those levels but in the spirit of the good natured enforcers ..."
The author seems to have the idea that bureaucratic EU systems are inherently "good" and that even if things look bad on paper, it will be fine because they are "good" people. This is not how the legal system or legal compliance works.
[+] [-] caffeine5150|7 years ago|reply
[+] [-] losvedir|7 years ago|reply
I think people miss that there is a very large qualitative difference between "no law" and "law". Even a very carefully targeted law will still have the effect, on the margin, of preventing or stopping compliant activities. But in the case of something like privacy, or control of data about you, maybe that's worth it in order to stop the noncompliant activities.
On a non-hypothetical topic: does anyone have a good resource on the requirements with regard to backups? That's one of the larger technical sticking points for me - do we have to delete from our backups as well on such a request?
[+] [-] Tomte|7 years ago|reply
Because the reverse also hold: if we remove the need for driver‘s licenses for cars, more people will be able to drive.
The fallacy is IMO that many people always consider the status quo ante as the perfect balance. Because we have gotten used to driver‘s licenses.
So the argument that new regulation stifles some non-harmful behaviour is a truism, but doesn‘t really contribute anything, unless it comes with numbers.
[+] [-] myWindoonn|7 years ago|reply
[+] [-] Radim|7 years ago|reply
To remove some of the uncertainty and automate some of the compliance steps, we built a data discovery AI tech that scans corporate data to answer:
* "Do we even store personal information?"
* "Where do we keep it?"
* "How do we make sure PII is consistently stored only in the designated places?"
This may seem trivial to a micro-business that runs on a handful of database tables, which I think is where the author is coming from. But for larger companies, even understanding what's where and why (backups? emails? cloud storages?) is a highly non-trivial—if ultimately rewarding—endeavour.
[+] [-] raquo|7 years ago|reply
Also, must be nice to live in a country where the regulator is as benevolent and reasonable as is described in this article.
I think it's ok for foreigners to be skeptical of this promise, as the article implies that this reasonableness is not encoded in law.
[+] [-] nabla9|7 years ago|reply
Q: Does my business need to appoint a Data Protection Officer (DPO)?
A: DPOs must be appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data (Art. 37). If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.
source: https://www.eugdpr.org/gdpr-faqs.html
[+] [-] muro|7 years ago|reply
The US did it recently: https://www.theguardian.com/business/2017/dec/06/oliver-schm...
[+] [-] pilsetnieks|7 years ago|reply
> The GDPR does not have this effect, but you may be interested to know that anybody can sue you or your business for whatever reason strikes their fancy. This is a direct consequence of doing business and has nothing to do with a particular law. What the GDPR allows private individuals to do is to contact their regulators and to complain if you decide to ignore their requests.
That's not exactly correct. Art. 79 of the GDPR allows people to sue directly for violations of GDPR although it's very non-specific.
[+] [-] kasey_junk|7 years ago|reply
I’ll note that for real businesses this is just a thought excercise, but it’s one I keep coming back to. What if some less reasonable entity attempted to regulate in this way?
[+] [-] LoSboccacc|7 years ago|reply
there's a whole two hundred post debate around here whether ip are or aren't pii on their own, with the wast majority holding the wrong position.
there's a whole branch of gdpr that people aren't considering, which is not related to software but to your business (i.e. your mail calendar). you also need a privacy policy if you are receiving phone calls. did you know that?
there's a whole bunch of implication on how liable you are about holding unwanted personal information, including unwanted medical personal information i.e. "hi I saw your gazebo renting service, I'm organizing an event but I am unable to walk due a permanent disability and requiring a ramp is present to access your gazebo, is that so?"
there is a huge surface area for uncertainty, up and including 'best practices' that are a constantly shifting target.
edit: to clarify the calendar part: if you have a meeting with someone, that links an identity with a location. that's why it's an issue, even without considering the address book, which is another issue by itself.
[+] [-] lol-lol|7 years ago|reply
https://www.linkedin.com/pulse/nightmare-letter-subject-acce...
Bottom line, DONT store/sell/mangle with personal data of your users unless you are able to fulfill this. I was thinking a bit about having an online store:
- make login as it is on Hacker News, you dont need email
- once user has selected and payed the goods, request sending address and contact (phone/email/whatever)
- ship it, print the requested / store into cold store (it is not that hard, you do it for bitcoins, right?), delete everything except username and password (and maybe the attached goods) from server
The described process will pass the GDPR Nightmare Letter in 10 minutes (to write a general reply) that you sent to everyone requesting.
This is what traditional "physical" stores do, not the large chains, the traditional, one employee, family store. And it works.
For everything else require consent, including tracking, but think very hard if you need anything else as it will complicate your business progressively.
I really dont understand all the fuss about the GDPR, if you explain (and prove) this to ICO, I would really like to see who will punish you for that.
[+] [-] MatthewWilkes|7 years ago|reply
The latter group say things like "this is ridiculous, they're making us change so much" but never have an answer to the fact that they're already violating PECR or the Data Protection Act.
[+] [-] grigjd3|7 years ago|reply