If you are respectful of other people's privacy then there is very little chance that you will be found afoul of the law and even if you should be then you will be warned to become compliant long before you will be fined.
This whole discussion is beyond ridiculous.
Imagine the rest of the world reacting to the DMCA this way which has far wider scope and effect.
citation needed
> if you do not collect data that you have no use for you are 95% there.
I have always been respectful and even never required emails on signups. I am not 95% there because there is a ton more to do. In fact i am at 5% because i have a lot of small scale past projects. Not everyone is a VC-funded startup.
That's the kind of emotional reaction that everyone has to GDPR. Yes we like respecting privacy, it's a good thing, but there is a lot that is problematic with this legislation.
Every statement issued by EU regulators to date.
> I have always been respectful and even never required emails on signups.
Good.
> I am not 95% there because there is a ton more to do.
Such as?
> In fact i am at 5% because i have a lot of small scale past projects.
You've had two full years to get this done. The law came into effect the 14th of April 2016. It is now May 2018.
> Not everyone is a VC-funded startup.
If you can build it you can also build it in a way that is compliant with the law and if you built it in a way that requires a lot of work to be compliant with the GDPR then you likely were already riding a very fine line with respect to the DPD which has been in effect for much longer.
> That's the kind of emotional reaction that everyone has to GDPR.
Emotions are a bad guide when it comes to legal stuff.
> Yes we like respecting privacy, it's a good thing, but there is a lot that is problematic with this legislation.
Such as?
Everything. Even if you process just an IP you need to document your procedures, change privacy policies. If at any point you ask for anything you need to implement opt ins, a way for (unauthenticated) users to request their data (even if it's just 1 IP) etc. My point is that having negligible private data is not less of a compliance burden than having a lot of private data.
> You've had two full years
You mean i ve had 2 years to attempt to interpret a vaguely written law. Actionable information is just now coming out, and even that is contradictory (cue this topic). Even the EU parliament's website does not comply yet.
> you likely were already riding a very fine line with respect to the DPD
First, that is a directive, not a law and compliance can vary widely. Second, gdpr requires new procedures which means it requires amendments anyway
> Such as?
I have posted another comment
So don't hold IPs if you can't be bothered to know where the might end up and if you don't want to update your privacy policy. Why would you?
> My point is that having negligible private data is no less compliance burden than having a lot of private data.
And no data means no compliance burden.
Note that holding data already has costs associated with it no matter what you do: you need to secure that data, you need to back it up, you need to process it and eventually you will need to get rid of it. All of those cost money and effort.
> You mean i ve had 2 years to attempt to interpret a vaguely written law.
As laws come the GDPR is surprisingly clear. I was quite skeptical until I actually got a copy of the draft and I was positively surprised. They actually got it mostly right, there are some minor things that I would have liked to see different but on the whole I am not complaining.
> Actionable information is just now coming out, and even that is contradictory (cue this topic).
The hysteria is ridiculous. Anybody that has spent even so much as a couple of hours on this subject - and from a somewhat serious point of view rather than the ridiculous fear mongering - knows enough to not have written a silly blog post like the one on display here.
> Even the EU parliament's website does not comply yet.
That article was not exactly enlightened to put it mildly.
> First, that is a directive, not a law and compliance can vary widely.
Yes, but if you did take it serious then you are well underway.
> Second, gdpr requires new procedures which means it requires amendments anyway
Yes, there is some overhead. But this is mostly to ensure that the law will not be ignored like what happened with the DPD. As you say 'it was a directive' which many companies interpreted as 'can be ignored'. What they failed to realize is that if you don't self regulate after a directive is issued that there will be a version of the directive with teeth that has the strength of law. Congratulations, we are there.
No. This is the myth that "consent is always required". There are several justifications for processing personal data, and consent is just one of them. There are others.
https://ico.org.uk/for-organisations/guide-to-the-general-da...
The 20 years of data protection enforcement we've had.
That would have been a wonderful thing to see. The DMCA has had a chilling effect on speech worldwide, and has created difficult barriers for small businesses to deal with if they want to host user-created content.
I think you unintentionally made your opponent's point!
