top | item 17160159

(no title)

JoshuaEN | 7 years ago

> If you don't store PII, you don't have to do any work. Done. If you need to have PII for your webapp to function, you barely have to do any work besides giving the that care people their rights

A server 'processing' (which seems to include using it in any way, not just storing [1]) your IP address appears to fall under the GDPR[1], and said server would be in violation of the law unless its processing falls under one of the exemptions.

The main exemption appears to be getting the user's explicit consent, though there's also this super vague exemption: "for your organisation’s legitimate interests, but only after having checked that the fundamental rights and freedoms of the person whose data you’re processing aren’t seriously impacted." [2]

In general, it seems very hard to avoid the GDPR because what is considered 'personal data' is extremely broad.

Maybe I'm misunderstanding something.

---

[1] https://ec.europa.eu/info/law/law-topic/data-protection/refo...

[2] https://ec.europa.eu/info/law/law-topic/data-protection/refo...

discuss

jdlshore|7 years ago

Yeah, you're putting too much emphasis on consent. It's only one of six lawful bases for processing data, and in fact the one with the most stringent rules.

I used "legitimate interest" as my lawful basis for logging IP addresses and website usage information. From the UK ICO's guidelines [1]:

"It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing."

There's a three part test:

1. Identify the legitimate interest: ensure the security and stability of my systems.

2. Show that processing is necessary to achieve it: need to know when and how the site is used in order to troubleshoot problems and detect abuse

3. Balanced against individuals' interests: We pseudonymize logins so usage information is not obviously related to specific individuals. There is no sensitive data on the site that can be revealed by usage data. The retention period is short which further limits what can be revealed.

Now, people here on HN might nitpick my logic, but fortunately they're not the regulators. I'm confident that, in the very unlikely event that a regulator even notices my little businesses, that I'll be able to correct any mistakes before fines come into play.

[1] https://ico.org.uk/for-organisations/guide-to-the-general-da...

mdpopescu|7 years ago

> I'm confident that, in the very unlikely event that a regulator even notices my little businesses, that I'll be able to correct any mistakes before fines come into play.

Every business owner in Romania knows two things:

- the IRS equivalent will investigate them periodically, usually every few years - they will ALWAYS find something to fine the company for

Sure, you will have to correct the something, but that doesn't mean you don't have to pay the fine anyway.

Also, incidentally, the company I was branch manager for has been once investigated by the police for credit card theft (they received a complaint). They couldn't find anything (because we didn't steal any credit cards - we just had a lot of computers because we were programmers, working for the main company in the US) but, in order not to have wasted the raid, they decided to prosecute us for copyright violations (they found a few pirated games).

So, at least in Romania, there is no such thing as "correcting mistakes before fines come into play".