WingNews logo WingNews
top | item 30123499

(no title)

uuidgen | 4 years ago

So what are those problematic GDPR requirements?

- ask for permission

- do not collect more than you have

- store securely

- allow users to change or remove their data

- have a dedicated officer if you collect a lot

Is that really THAT hard? (If yes, then really you shouldn't be collecting any data.)

discuss

order

drdeca|4 years ago

Depends on what "have a dedicated officer" entails?

If it requires employing someone you wouldn't be otherwise, then, yes, I do think it is unreasonable to require that I hire someone if I am letting people give me an email address for the purpose of sending them an email in the event that <x> (assuming that I am verifying at the time they give me the email address that they have control of the email address in question), no matter how many people request to be added to the list of people to send an email in the event that <x> .

uuidgen|4 years ago

It means designating a person that understands GDPR in the scope it applies to the particular data set and handles requests/security incidents. It can be secretary after a few hours of training.

And I think that if you manage a mailing list of million of people then having someone who understand security implications of it and how much they can lose (even to a simple phishing at this scale) if you get that list accessed by scammers is necessary.

echelon|4 years ago

Let's say you built your massive software business that relies on immutable records exchanged between services. Maybe your process involves cold storing some of the data. You have hundreds of microservices and thousands of lambdas, each one with a dedicated purpose. Your address microservice stores PII. Your session service knows about email. Your employee service has first and last names.

Now you have to coordinate ALL of it to support right to forget and data export.

You need an expert in each system to drop what they're doing for one to two quarters to figure out how not to break everything and support this new use case.

You need to synchronize the plan of action throughout all of the various orgs. Some party receives GDPR requests, and that now needs to trickle down to every service to handle and report back.

This is hugely expensive.

Millions of dollars.

You vastly underestimate the toll on existing legacy businesses.

isbvhodnvemrwvn|4 years ago

If you rely on immutable data records for sensitive information such as PII, and you don't have the full view on where the data is stored and how to delete it, the law IS SUPPOSED TO make you realize that it was a bad mistake. It was a mistake when you started, now you just have to pay for it to get fixed.