It only seems complex because everyone has been implementing user-hostile datamining operations for years before GDPR was enacted. So for every external service you use, you must make sure that they implemented GDPR compliance or not. If GDPR had been a law since the beginning, it would be much simpler.
Although I'd like to know, what difficulties have you been facing in your startup, exactly?
I have dozens of matters that I don't even know if they are related to GDPR.
Our main DB is physically hosted in a EU data center by a US company (not AWS). Is this GDPR compliant? Because, as I understand it, US companies can be required to share their data with the US govt. Does that mean I should be looking to host my DB with a non US company? Does signing a DPA and putting some clause in our privacy terms be enough to be compliant?
What if we're using a cache with Redis at the edge. Would I be breaking GDPR laws if a EU user was traveling outside the EU and this triggered a cache into a Redis outside the EU?
What is considered sufficient security to store email addresses of our users? Should I be encrypting email addresses in the database even though this would be a massive pita and would prevent certain features from even existing?
Etc.
I could be here all day with lots of nuances.
Every time I read more on this matter it opens up a can of worms.
Disclaimer: this is obviously not legal advice, but I have been involved in similar GDPR adventures at my company.
> Does that mean I should be looking to host my DB with a non US company?
Yes, if you want to isolate yourself from any ramifications in the Safe Harbour/Privacy Shield/Paper Tiger #3 diplomatic processes.
> Does signing a DPA and putting some clause in our privacy terms be enough to be compliant?
Probably not (assuming you're referring to a DPA with a US-based company), but not having a DPA is not an option. In any case, the fallout from a total breakdown of transatlantic data transfers will be sufficiently large that fines will probably not be given without sufficient notice.
> Would I be breaking GDPR laws if a EU user was traveling outside the EU and this triggered a cache into a Redis outside the EU?
No, unless your outside-EU Redis is controlled by a different company than the inside-EU Redis. In which case you should sign a DPA with the outside-EU provider as well, with the same caveat as above.
> What is considered sufficient security to store email addresses of our users? Should I be encrypting email addresses in the database
No, but you will want to set up data access auditing for such fields, and possibly something like dynamic data masking so employees can not easily access the raw data. Normal at-rest data encryption of the entire datastore (and backups!) should be sufficient.
In this case it's not enough just to be GDPR compliant, the website admin has to have Data processing agreement with the CDN, which you won't get from a free CDN such as JSdelivr.
It's complex because 'personally identifying information' is not a thing outside the digital. You can't enforce these rights on physical businesses for exampple (e.g. can't request from your local bakery to forget that you existed)
You can request they expunge all records of your purchases.
Not exactly a new idea either. Doctors have been subject to rules around record keeping for a long time. Its not really all that different between physical and digital - the cost of making and (ab)using records is just way lower in digital.
pier25|2 years ago
Our main DB is physically hosted in a EU data center by a US company (not AWS). Is this GDPR compliant? Because, as I understand it, US companies can be required to share their data with the US govt. Does that mean I should be looking to host my DB with a non US company? Does signing a DPA and putting some clause in our privacy terms be enough to be compliant?
What if we're using a cache with Redis at the edge. Would I be breaking GDPR laws if a EU user was traveling outside the EU and this triggered a cache into a Redis outside the EU?
What is considered sufficient security to store email addresses of our users? Should I be encrypting email addresses in the database even though this would be a massive pita and would prevent certain features from even existing?
Etc.
I could be here all day with lots of nuances.
Every time I read more on this matter it opens up a can of worms.
tremon|2 years ago
> Does that mean I should be looking to host my DB with a non US company?
Yes, if you want to isolate yourself from any ramifications in the Safe Harbour/Privacy Shield/Paper Tiger #3 diplomatic processes.
> Does signing a DPA and putting some clause in our privacy terms be enough to be compliant?
Probably not (assuming you're referring to a DPA with a US-based company), but not having a DPA is not an option. In any case, the fallout from a total breakdown of transatlantic data transfers will be sufficiently large that fines will probably not be given without sufficient notice.
> Would I be breaking GDPR laws if a EU user was traveling outside the EU and this triggered a cache into a Redis outside the EU?
No, unless your outside-EU Redis is controlled by a different company than the inside-EU Redis. In which case you should sign a DPA with the outside-EU provider as well, with the same caveat as above.
> What is considered sufficient security to store email addresses of our users? Should I be encrypting email addresses in the database
No, but you will want to set up data access auditing for such fields, and possibly something like dynamic data masking so employees can not easily access the raw data. Normal at-rest data encryption of the entire datastore (and backups!) should be sufficient.
unknown|2 years ago
[deleted]
fariszr|2 years ago
That's my understanding.
seydor|2 years ago
bawolff|2 years ago
Not exactly a new idea either. Doctors have been subject to rules around record keeping for a long time. Its not really all that different between physical and digital - the cost of making and (ab)using records is just way lower in digital.