This guy doesn't like regulation and is playing to the crowd for sympathy.
Let alone full review of every system and legal review of the DPAs you have to sign and or create with every single co and processor.
If you are using only contract basis for the data it's really easy. You tell them that you are using their data for purposes of fulfilling the contract. The great thing about contract basis is they can't object. The only thing you need to do is to inform the customer of any 3rd parties you send their information to in order to fulfil the contract.
It only gets complicated if you want to use the data for other things. For legitimate interest (which is essentially exactly the same as the laws that are currently on the books) you need to be able to exclude processing the data if someone objects. You also need to make sure that you don't delete their data if they exercise their right of removal (which is completely bass-ackwards, but whatever). Consent is similar actually, but you have to get the consent up front. The other lawful bases are very unlikely to show up in most organisations.
I think the main problem with most organisations (and it's the case with the company I work for at the moment) is that control of private information is very loose. For example, we use several SaaS systems for our marketing. Some of them are clearly unnecessary and so we either have to remove that functionality or get consent. So there's lots of discussions about whether it is worth a huge wad of text thrown at the user in order to have cat emoji's or some stupid thing like that.
The other main problem is that if you want to use something other than contract basis, you need to build something that allows the user to exercise their rights. It can be a manual process, but if you have a lot of users it might threaten the margin.
Anyway, long story short: If you are only gathering the information that you need to do the work you are doing, there is likely very little (or in a lot of cases I bet nothing) to do. If you are gathering the information to use for your own purposes, then there may be a lot that you need to do.
Not to put too fine a point on that, personally I highly approve of this. I really could care less if somebody's business model is destroyed because it is now too expensive to collect information that you don't need to do the job. Even in the company I work for, where we don't actually use the data for nefarious purposes (AFAICT ;-) ), we're finally having some long overdue conversations about what stupid SaaS crap we're using under the hood. Not to be unkind, but I utterly fail to understand how marketing people fall for the same lies that they spew out themselves... "If only we send our customer's data to this service, they will find a way to drive more business our way! And we don't even have to pay them!" Yeah... right...
Similarly we sometimes get asked to incorporate silly things into our service because the marketing people think that it will create engagement. Again, these are free SaaS businesses that are scooping up data and selling it. Although I made up the cat emoji thing, it's not that far off what we sometimes get asked to incorporate. With GDPR, those businesses are going to have to charge for their services and that's going to have to come out of our budget. We don't have to argue "We're not shipping our whole customer database over to a SaaS just so we can have cat emojis on the the system". Similarly, it makes our systems simpler because if they really want cat emojis, we can implement them -- it's just not "free" (it never was, but it's hard to have that conversation sometimes).
I probably should have left the SaaS thing out of my explanation because it's confusing and only slightly related to what I was talking about :-). Like I said, we use some great services for marketing and will continue to do so under GDPR.
how could you "not need" data if the loss "destroyed" the business model?
For example, my business model might be to ask you for your login and password information for your bank so that I can help myself to the contents of your bank account. In return I'll send you a newsletter on how to get rich quick :-)
I doubt you are asking seriously, but in case you are, the distinction is: if I need the information to complete the contract, then it is under contract basis and I'm allowed to use it for that purpose. If it's not needed for completing the contract, but I have a legitimate reason for using the data anyway (kind of vague, but includes marketing -- basically all the stuff that was legal before GDPR) I can do so, but I need to tell you I'm doing it. You can object and then I have to stop. If I have no legitimate reason for using the data, but I want to anyway, I can still do it. I need to ask for your consent (which has to be opt in). My service can't depend on you opting in (because I have no legitimate reason for needing the data). I can't deny service just because you opt out. You can also withdraw your consent at any time.
So in my silly example at the top, I could literally ask for consent to use your login details for you bank. If you agreed, I could use them. However, since I have no legitimate interest in your bank login details (other than I wanna look at your bank balance), I can't make my service depend on that.
If your business model is based on making money from data that you have no legitimate interest in and you have no consent for... well, I really, truly have no sympathy at all. I understand that some people may have a different opinion, but I don't think mine is really that unreasonable.
Vs to package and resell the subject.
It is a matter of making subjects of data collection in control of their data being sold without their consent to the real customer, someone else.
Not the OP, but it's pretty straight forward for most people (including the author of TFA). You need to identify what private information you collect.
Fair enough.
You need to decide what lawful basis you are using to collect that data. If you have no lawful basis, you have to stop collecting that data.
Right, but probably the most practically relevant basis for anything non-trivial will be legitimate interests, which of course involves balancing tests. Even today, just a week before this all comes into effect, there is little guidance about where regulators will find that balance.
If you are using consent lawful basis, you need to get consent in an opt-in manner. You need to record what statement you have shown to the user and any consent that you receive.
But this is retrospective and stronger than the previous requirement. Even if you have always been transparent about your intentions and acquired genuine opt-in from willing users, you are now likely to be on the wrong side of the GDPR if you can't produce the exact wording that was on your web site or double opt-in email a decade ago. The most visible effect of the GDPR so far seems to be an endless stream of emails begging people to opt in to continue receiving things, even where people had almost certainly genuinely opted in already before.
For legitimate interest (which is essentially exactly the same as the laws that are currently on the books) you need to be able to exclude processing the data if someone objects.
Not quite. There also appear to be a balancing aspects here, though with some additional complications involving direct marketing, kids, and various other specific circumstances.
Take a common example of analytics for a web site. These may include personal data because of things like IP addresses or being tied to a specific account. Typically these have relatively low risk of harm for data subjects, but if for example a site deals with sensitive subject matter then that won't necessarily be the case either.
A business might have a demonstrable interest in retaining that data for a considerable period in order to protect itself against fraud, violation of its terms, or other obviously serious risks. Maybe the regulators will consider that those interests outweigh the risk to an individual's privacy if their IP address is retained for several years, at least in some cases. Maybe they will find differently if it's the web site for a drug treatment clinic than if it's an online gaming site.
Even if the subject matter isn't sensitive, where does the line get drawn? A business that offers a lot of free material on its site to attract interest from visitors might itself have a legitimate interest in seeing who is visiting the site and tracking conversion flows that could involve several channels over a period of months. This is arguably less important than protecting against something like fraud, but nevertheless the whole model that provides the free material may only be viable if the conversions are good enough. But equally, maybe it's not strictly necessary for the operation of the site and whatever services it offers for real money, so should the visitor's interest in not having their IP address floating around in someone's analytics database outweigh the site that is offering free content in exchange for little else in return?
That's just one simple, everyday example of the ambiguity involved here, and as far as I'm aware the regulator in my country has yet to offer any guidance in this area. Would any of the GDPR's defenders here like to give a black and white statement about this example and when the processing will or won't be legal under the new regulations?
The other lawful bases are very unlikely to show up in most organisations.
I would think the basis that you have to comply with some other law is also likely to be quite common. It will immediately cover various personal data about identifying customers and recording their transactions for accounting purposes, for example. But again, since that will include the proof of location requirements for VAT purposes in some cases, how much evidence is a merchant required to keep to cover themselves on that front, and when does it cross into keeping too much under GDPR?
The other main problem is that if you want to use something other than contract basis, you need to build something that allows the user to exercise their rights.
And once again, those rights are significantly stronger under the GDPR, particularly around erasure or objecting to processing. Setting up new systems that comply may not be too difficult, but what about legacy systems that were not unreasonable at the time but don't allow for isolated deletion of personal data? To my knowledge, there is still a lot of ambiguity around how far "erasure" actually goes, particularly regarding unstructured data such as emails or personal notes kept by staff while dealing with some issue, or potentially long-lived data in archives that are available but no longer in routine use. And then you get all the data that is built incrementally, from source control systems to blockchain, where by construction it may be difficult or impossible to selectively erase partial data in the middle.
Not to put too fine a point on that, personally I highly approve of this. I really could care less if somebody's business model is destroyed because it is now too expensive to collect information that you don't need to do the job.
But what if an online service's business model relies on processing profile data for purposes such as targeting ads to be viable, and regulators decide that a subject's right to object to that processing outweighs its necessity to the financial model?
It's easy to say a lot of people might not like being tracked, but on the other hand, if services like Google and Facebook all disappeared in the EU as a result of the GDPR, I'm not sure how popular it would be. There are two legitimate sides to this debate, and neither extreme is obviously correct.
A point is that often statements of a law are defined not by the language but by the ruling of lawsuits that occur around those statements and that is what most companies and lawyers are waiting for, what do courts rule when these lawsuits happen.
The biggest issue that I have heard of (Im no expert) is what does the right to be forgotten actually mean ? Does that mean all your backups are now illegal as you are retaining the customers information after they asked you to remove their records?
I think some of the fear that smaller business have is that this will encourage lawsuits until people understand how the courts will rule on each item.
forgive my frank language, but too fucking bad.
edit: my right always outweigh your profits. Sorry.
The data collected under the former is simply the IP and a timestamp in webserver and app logs, usually purged within 7 days and then any user data included in backups, purged after 3 months.
"better user experience" is not really personal data but I included it anyways; browser type (mozilla/edge/etc.), viewport resolution, pageload time, OS. And not stored in a way that allows correlating them.
For analytics that is really all I need.
You are aware that there is a time and monetary cost to comply for those with legitimate data collection purposes, right?
Consider adventured's sibling post - it quite astutely points out that GDPR discussions are much more vitriolic than you'd expect for discussions of the minutiae of data handling. People who say that GDPR compliance is hard are being attacked on a personal level. He explains it as 'emotional investment' in GDPR but I don't think that's a good explanation; the people arguing most strongly for it are also those saying it's not much work, so that seems backwards. You'd expect people who put in the most effort to be most emotionally invested in it.
There's a much better explanation available: your view on GDPR is a direct consequence of your assumptions about human nature. If you believe in the existence of benign and enlightened technocrats then GDPR seems like excellent progress towards building a better world - it's extreme vagueness and severe penalties are exactly what's needed to foster obedience to technocratic elites. People who complain about this are just being unnecessarily awkward ... just be reasonable after all, and you'll be fine! The EU are reasonable so if you're reasonable too, you have nothing to fear! From this perspective, anyone who objects to GDPR or actually decides compliance is impossible must - almost by definition - be being unreasonable. What are they hiding? Why can't they just get on board; the only answer available is that they have flawed characters and any points they make about gray-area debatable things like cost:benefit ratios must be some sort of obfuscation.
If on the other hand you believe the whole idea of wise and beneficent bureaucrats is naive, then GDPR looks like a hell of a lot like a power grab by the very sort of people who shouldn't be able to grab power. Vagueness is of deep concern because it's in the shadows of vagueness that abuse can be found, and when a law is nothing but vagueness, it even makes sense to question to motives of those who created it - that's a problem because lots of self-styled Europeans have bought into the EU's utopian rhetoric and can't separate criticism of the EU from criticism of themselves and their desired future.
There's no real scientific way to prove whose assumptions about human nature are right. The USSR was a rare example of a real-life experiment in who was right and for a long time it proved the American style, conservative, small weak government is better mentality to have superior results. But that was decades ago and many have forgotten or weren't alive back then, so now rule by technocratic dictatorship seems attractive again.
As a consequence GDPR discussions will always have the same flavour as Clinton v Trump debates, or Brexit debates, or whether to restrict spending on political campaigning. They are ultimately about the same issues.
This is also why in all cases you'll see the GDPR supporters go after the character of the site/service owner (including always questioning their motives to muddy the waters). It's an attempt to short-circuit any reasoned debate, to destroy the credibility of the opponent. This has happened numerous times on HN in the last month or two.
Even if you had a business that was whiter than white in terms of compliance with previous data protection laws and had perfect documentation of all its data collection and processing activities, it would surely cost far more than that just for the time to write some basic notes on the extra things you now have to tell data subjects and/or your regulator, get them reviewed by a lawyer, incorporate them into the relevant policies, and send notifications to anyone affected about your updated privacy policy.
What about your salary?
Your risk in GDPR is similar to your risk in IP law. If you don't comply with the law and someone calls you on it, you might have legal proceedings against you. In most cases it's pretty obvious if you are compliant with the law (Well, to be fair, it's completely unobvious if you are going to get randomly sued for patent infringement, but I digress...) If you are have a very complex situation, then maybe it is worth some legal advice, but it's pretty freaking obvious if you need the data you have collected in order to fulfil the contract or not.
Anybody that tries to sell you one is full of it.
You claim to know a lot about the GDPR, I’m not sure my business is compliant. Can you take a look and tell me?
What’s that called if not an audit?
