As someone that knows next to nothing about it, I was curious and googled how to adhere to the GDPR, and read through the top recommended article. Here's some choice quotes:
"Complying with the GDPR is a huge undertaking"
"GDPR compliance (occupies) a huge amount of IT time and resources"
"Moving your organization into GDPR compliance is a process you ideally started long ago"
The article links to some ICO GDPR data processing checklist, which is a list of 18 different processes you need to have put in place.
"The GDPR is made up of 99 articles that provide a detailed description of the regulation". <- 99 different articles to understand and adhere to ...
"[I]t is impossible to provide an exact prescription that will guarantee your organization is in compliance"
"One of the most onerous obligations of the GDPR is to provide “Data Subjects” – the people whose data you are processing – with access to the data that you hold about them (Article 15)",
"They can also request rectification or completion of data if it is inaccurate or incomplete, and they can request that you delete their personal data"
"This is onerous because Data Subjects can make requests in writing or verbally, and you need to be able to comply with the requests “without undue delay"
^-- All that seems to go against your assertion that you just have to "not track them", if you have to build out a system for everyone to access all data you hold about them, rectify it, delete it, verbally or in writing, without delay.
I'm not even half way through the article and I'm skipping over tons of what it's saying needs to be done, with all the security measures that need to put in place, whether or not encrypted data is needed, breach notification, and so on.
It seems like a heck of a lot more than just "not track people", or a trivial amount of work.
You listed just one slightly onerous requirement: allowing people access and agency over their data. If you don't store their data, you don't have to do that.
It's a bit hyperbolic to say that you're, "not even half way through the article and I'm skipping over tons of what it's saying needs to be done", when you've literally only listed one thing.
> "This is onerous because Data Subjects can make requests in writing or verbally, and you need to be able to comply with the requests “without undue delay"
I'm sure each case might be different, but I can't but help to think this is just a cheap excuse to inflate the work that is required ro comply with data Protection Regulation.
I've worked already on a few projects involving data protection, and they all boil down to two steps:
- only store anonymous data. No personal data? No problem.
- if you need to store personally identifiable information, support deleting it on request.
It might be easier to incorporate these requirements at the design stage, but by now this is a very basic set if requirements.
> ^-- All that seems to go against your assertion that you just have to "not track them", if you have to build out a system for everyone to access all data you hold about them, rectify it, delete it, verbally or in writing, without delay.
If you don't track people's data, that "system" becomes an automated email reply with "we don't have any data about you".
But if you deal with individuals, probably you do want to collect at least some data that would be subject to the GDPR protections, and it is definitely easier to forget all about it.
Given that most things are personal data under the GDPR (e.g., IP addresses have been considered personal data, and things like usernames are clearly personal data), I don't think most companies can get off quite that trivially, short of being completely stateless and never logging anything.
You can log with log if you have good reason; you just have to delete them after a reasonable time. Nothing about this is hard or costly if you think about from the start. Your 'forever data' basically should never contain PII as some users might have terminated their accounts etc so then their info cannot be in some cold store tape archive. Again, not complex; delete backups after a reasonable time and throw away the encryption key.
The intent of the gdpr is that you think about all of this and not simply store everything to mine, have stolen, leak or sell later on. The problem is that many companies or the software they use is literally build to abuse that data so then it is indeed 'hard' and expensive to comply.
Sure, but regardless of your data-retention period, you still have to know where to find everything derived from anything user-generated, if you want to accurately respond to requests. You're free to argue that the GDPR is making companies do things that they already ought to have been doing, but my point is that "just don't be one of those evil user-tracking companies" is not a viable compliance policy in itself.
If your data retention period is less than your response time (which has to be less than a month), can you not say "everything we had at the time of request is deleted" and be done with it?
A reminder that we're talking about passing visitors without accounts here, and for logging and analytics there shouldn't be a need to store anything longer than a couple days.
All of that is about complying with gdpr, assuming you're sharing customer data. If you don't, there's nothing to do. It's like "international shipping of live animals is a massive undertaking and takes lots of time" - cool, it's true - I'm not doing that so I'm done.
Sure, you have to comply with data requests, but if you don't store/share it... that's also trivial.
GDPR does not regulate “sharing,” it regulates any use of personal data. IP address is considered personal data, so you can’t avoid GDPR compliance if you are running a website at all (since you must process IP addresses in order to serve a website).
I'm using simplified language here, not writing a legal document. The first use was also supposed to be "storing/sharing", but it's processing in practice. But here you go:
> GDPR does not regulate “sharing,”
13.1.e requires at least the notification of the recipients of the data. With the requirement about the purpose of use, it effectively regulates sharing.
> since you must process IP addresses in order to serve a website
That's right and that places the IP in the 4.1.f "processing is necessary for the purposes of the legitimate interests pursued by the controller" area which doesn't require consent.
It doesn’t require a consent dialogue but it requires user notifications and data processing agreements with anyone who is helping you serve your site and an agent available to EU jurisdictions to answer inquiries. Granted a lot of people don’t bother or slide by with some vague crappy language they downloaded from somewhere.
The irony here is that the people who think they’re standing up for GDPR are actually the ones not taking it seriously, while the people who take it seriously are the ones who know what a pain it is to comply with.
Have you got some support for this from people experienced with legal matters? Because not only I've never heard of the internet provider notification being required and can't find any act which would apply, I can't even find any European page which does that, including https://op.europa.eu/en/web/about-us/privacy-statement which is responsible for publishing gdpr itself.
That publisher's page lists the third party processors for the documents, (as expected) but not the hosting provider. I'd love to see a counterexample.
My experience was the months I spent with a very competent (and no doubt expensive) French law firm to help my employer implement GDPR compliance. None of that is public info that I can link to, however.
I’ll edit to add that the user must be notified that you are collecting and processing personal data, which includes IP address. And the hard part is that you must also have internal paper trails that prove that you have written that notification in full knowledge of all the data processing done on your behalf by all your service providers. Is a data center owner routing traffic to your server? You need paperwork in which they commit not to store the IP addresses of your visitors, for example. That is not public-facing but must be available to regulators upon their request.
That’s the hard part of compliance and what most people skip. They click OK on the standard agreements with service providers and put up a standard privacy template. That is not actually compliant but folks are essentially betting that they are small enough that data regulators won’t ever come call them on it.
There's a known side effect of highly paid legal work... it will produce lots of results. But was it all required or just-in-case-CYA? Is one highly paid lawyer more correct than a sample of European institutions? Maybe...
sum the amount of "you simply <x>" in this thread, then account for the fact that we're talking about running afoul of a regulation if you don't understand it, and you end up with a hassle. I'm not weighing in on whether or not it's bad, I'm just saying what I said. If you aren't accounting for a significant portion of revenue to justify it, you're going to get blocked because you represent a liability.
