undefined | Better HN

0 pointsmnkypete7y ago0 comments

No - you cannot ignore it when you are a small company that's true. But you can (probably, we'll see) ignore it if you don't do shady shit with your customer data. You are allowed to process data, if it's used to fulfill the service you provide. That's reasonable, and probably applies to most of what OP is doing.

0 comments

greglindahl7y ago

So when I get reported, I'll say I didn't worry because some guy on Hacker News said I'd be OK? That's not how it works. You can be as confident as you want without affecting the reasonable worries actual businesses have about this regulation.

mnkypeteOP7y ago

I have an actual business, thank you. And I did my homework by talking to a lawyer about it. What I got from this talk is, that most of the stuff that is going around is pure panic mode.

Please, don't take my words as granted but talk to an actual lawyer. You'll probably even find a free session for startups somewhere in your city, at least in Europe.

jdietrich7y ago

Ask the regulators. The ICO provide comprehensive guidance documents, a wide range of tools to facilitate compliance and a dedicated helpline for small organisations. They're extremely busy at the moment, but they'll be more than happy to explain your obligations under the GDPR and the best way of achieving compliance.

https://ico.org.uk/for-organisations/guide-to-the-general-da...

https://ico.org.uk/global/contact-us/advice-service-for-smal...

kasey_junk7y ago

Point of order, the ICU is one of many potential regulators & likely not an important one given brexit.

What hav the Danish & Belgian regulators been doing lately?

nickpp7y ago

ICO is just the UK regulator. How about the regulators of the other 28 EU states?

jdietrich7y ago

There are specific mechanisms in place to ensure that the regulations are applied consistently, set out in Chapter 7 of the GDPR.

https://gdpr-info.eu/chapter-7/

1 more reply

jacquesm7y ago

Harmonized. So an ok from one would count pretty heavily when interacting with others.

donatj7y ago

False. If you do any sort of logging of network traffic - think server logs - or even backup your database and a single person comes asking for all their data to be removed from all your backups sitting in cold storage, you're in for a world of hurt.

The mere act of pulling all my database backups from glacier at once would cost enough to force me to just shut down my personal projects.

opencl7y ago

GDPR does not require deleting data from backups.

http://blog.quantum.com/backup-administrators-the-1-advice-t...

"The GDPR is open to interpretation, so we asked an EU Member State supervisory authority (CNIL in France) for clarification. CNIL confirmed that you’ll have one month to answer to a removal request, and that you don’t need to delete a backup set in order to remove an individual from it. Organizations will have to clearly explain to the data subject (using clear and plain language) that his or her personal data has been removed from production systems, but a backup copy may remain, but will expire after a certain amount of time (indicate the retention time in your communication with the data subject). Backups should only be used for restoring a technical environment, and data subject personal data should not be processed again after restore (and deleted again)."

kasey_junk7y ago

CNIL is one of ~20 regulatory agencies & this isn’t their “official” stance.

Other opinions have concluded that you must keep an index of requested deletes in the face of backups, for instance.

opencl7y ago

That agrees exactly with what CNIL said. Obviously you have to keep an index of requested deletes for the same length of time you keep backups in order to re-delete the relevant data in the event of restoring the backups.

Article 63 of the GDPR specifically covers consistency of enforcement across the regulatory agencies.

srrr7y ago

I don't see the problem here (for small companies). If you have a database with user data, and a user deletes his account, you delete the data from production. At this moment, you have a live system without this users data, and some backups with the data. The moment you make a new backup, you have a dataset to restore from that does not include the user data.

You keep daily backups for 1 week, and after one week the users data is gone from all backups.

The only possible window for restoring deleted user data is the time window from deletion to backup. To "solve" this you need to make more backups, ideally live backup and replication with really frequent snapshotting. And this is something you would want even without the new law, because you don't want to lose user data in case of a server failure. Why would you restore from an old backup? (And if you really need to restore from an old backup you most likely want to merge this backup with the newest one to reduce data loss. In this case you can reapply all deletes.)

The new laws don't change anything. For me at least. Also my lawyer is totally fine with "only" minimizing the problematic time window. We both know that it will never be zero.

1 more reply

08-157y ago

I have a radical idea: don't keep that data.

You can still log accesses and aggregate them into statistics, just don't keep the IP addresses. You can still log IP addresses to detect DOS attacks or whatever, just delete the log when you don't need it anymore, after a day or so. There's no need to get backups from glacier, because you know there is no personal data in them.

matthewmacleod7y ago

GDPR does not require you to delete PII from backups. This is a misconception.

You do need to have a documented and implemented backup retention policy and communicate this if you receive a request to delete a user's data.

tobltobs7y ago

There are other laws which require you to keep data for up to 10 years. This will require you to split up your backups and clean the ones for the longer storage from all unnecessary PII. That is already costly and challenging. Problem is nobody really knows what data you have to strip of and what do you have to retain for other laws.

srrr7y ago

You are talking about a very narrow set of legal reasons that need 10 years of archiving. This has nothing to do with the GDPR and these archives should really not be created from normal daily/... backups. If you fall into that category you need a lawyer even without the GDPR and this lawyer will tell you exactly what and how to archive. "Nobody really knows" does not apply here because your lawyer knows.

1 more reply

user59944617y ago

Backups have an expiration. That should be enough to satisfy the requirement for deletion.

1 more reply

edaemon7y ago

That's only the case if you store personally identifiable information in your logs. IPs don't count as long as you're collecting them for security purposes and don't have a way to identify a person using the IP. Plus, if you rotate out your logs and clean them up regularly, you don't really need to worry about it. (That's what the EU lawyers at my work told us.)

Database backups are only a problem if you save them forever, though it sounds like you are. GDPR generally requires that you regularly archive, rotate out, and clean up old data.

kasey_junk7y ago

The GDPR faq disagrees: https://www.eugdpr.org/gdpr-faqs.html

edaemon7y ago

It doesn't. It says:

> Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, ... or a computer IP address.

Emphasis mine.

I said:

> IPs don't count as long as you're collecting them for security purposes and don't have a way to identify a person using the IP.

3 more replies

joering27y ago

I spent near to $10,000 in 6 lawyers 2 in usa 4 in different european countries and all wrote detailed report for me negating what you just said. IP is one of the most PII identifiable elements of an internet user. Exception is when you can prove such IP is a merely a proxy. please get some other lawyers opinion!!

edaemon7y ago

Note that I didn't say IPs aren't PII; I said they don't count as long as you are collecting them for the specific purpose of security and don't have any way to identify the person using that IP. Pretty much by definition that is not PII.

That came from the legal departments from our German, UK, and French entities.

2 more replies

raverbashing7y ago

Here's your problem, you have 6 lawyers.

If you're too worried about this, remove the last octet from the IP or and/or it with a mask. And especially don't associate the IP with the user (by default you can't find out who's the user only by IP).

j / k navigate · click thread line to collapse

0 comments

greglindahl7y ago

mnkypeteOP7y ago

I have an actual business, thank you. And I did my homework by talking to a lawyer about it. What I got from this talk is, that most of the stuff that is going around is pure panic mode.

Please, don't take my words as granted but talk to an actual lawyer. You'll probably even find a free session for startups somewhere in your city, at least in Europe.

jdietrich7y ago

https://ico.org.uk/for-organisations/guide-to-the-general-da...

https://ico.org.uk/global/contact-us/advice-service-for-smal...

kasey_junk7y ago

Point of order, the ICU is one of many potential regulators & likely not an important one given brexit.

What hav the Danish & Belgian regulators been doing lately?

nickpp7y ago

ICO is just the UK regulator. How about the regulators of the other 28 EU states?

jdietrich7y ago

There are specific mechanisms in place to ensure that the regulations are applied consistently, set out in Chapter 7 of the GDPR.

https://gdpr-info.eu/chapter-7/

1 more reply

jacquesm7y ago

Harmonized. So an ok from one would count pretty heavily when interacting with others.

donatj7y ago

The mere act of pulling all my database backups from glacier at once would cost enough to force me to just shut down my personal projects.

opencl7y ago

GDPR does not require deleting data from backups.

http://blog.quantum.com/backup-administrators-the-1-advice-t...

kasey_junk7y ago

CNIL is one of ~20 regulatory agencies & this isn’t their “official” stance.

Other opinions have concluded that you must keep an index of requested deletes in the face of backups, for instance.

opencl7y ago

Article 63 of the GDPR specifically covers consistency of enforcement across the regulatory agencies.

srrr7y ago

You keep daily backups for 1 week, and after one week the users data is gone from all backups.

The new laws don't change anything. For me at least. Also my lawyer is totally fine with "only" minimizing the problematic time window. We both know that it will never be zero.

1 more reply

08-157y ago

I have a radical idea: don't keep that data.

matthewmacleod7y ago

GDPR does not require you to delete PII from backups. This is a misconception.

You do need to have a documented and implemented backup retention policy and communicate this if you receive a request to delete a user's data.

tobltobs7y ago

srrr7y ago

1 more reply

user59944617y ago

Backups have an expiration. That should be enough to satisfy the requirement for deletion.

1 more reply

edaemon7y ago

Database backups are only a problem if you save them forever, though it sounds like you are. GDPR generally requires that you regularly archive, rotate out, and clean up old data.

kasey_junk7y ago

The GDPR faq disagrees: https://www.eugdpr.org/gdpr-faqs.html

edaemon7y ago

It doesn't. It says:

Emphasis mine.

I said:

> IPs don't count as long as you're collecting them for security purposes and don't have a way to identify a person using the IP.

3 more replies

joering27y ago

edaemon7y ago

That came from the legal departments from our German, UK, and French entities.

2 more replies

raverbashing7y ago

Here's your problem, you have 6 lawyers.

j / k navigate · click thread line to collapse