The UK's ICO also has a good structured summary: https://ico.org.uk/for-organisations/guide-to-the-general-da...
In general I agree with the sentiments in this article. I've probably spent a total of three to four days reading around the GDPR and I don't really see what's special about this law other than it's imposing decent standards on what was in effect a wildly unregulated industry in people's personal data. If you have a broad distrust of any government activity then I suppose any new laws with "fines up to €X" might feel like "I run a small site on a Digital Ocean droplet and I'm at risk of a €2m fine out of the blue." But that doesn't make it true.
The key change is the fairly explicit punishments and apparent intent to hand them out for non-compliance. A lot of older regulations get considered by companies but the issues relegated, officially or otherwise, to "yeah, we'll apologise and fix that when someone notices" which might not be a good way to manage the risk management after next Friday.
> ... might feel like "I run a small site on a Digital Ocean droplet and I'm at risk of a €2m fine out of the blue." But that doesn't make it true.
Exactly. A lot of the unhelpful hysteria is being drummed up by consulting companies trying to sell there services to help others assess and/or manage their GDPR compliance: they are stoking the fears to improve sales.
The rest is coming from people who don't want to lose control of some of what they consider to be _their_ data. From a business perspective this is usually "I've collected it or pad for it, I should be able to keep it / sell it / use it, this is unfair, wa waa waaaaaa" and from a technical perspective many of us data people have flinch reactions to any idea of hard-delete or un-rollback-able update operations (they are not really impossible to rollback of course, anyone sensible is building considerations for backup retention policies into their procedures, but rolling back is less likely to be simple and can only be done during that retention window).
People are being forced to sign agreements which jeopardise the natural rights to their data which they would otherwise have.
One example: a friend who has a very pretty daughter was asked by her school to give them the right to film her and to use any and all such recordings as they see fit for 50 years even after she leaves the school.
This feels very wrong on just about all the conceivable levels.
We are still waiting for the first court battles that will help determine how GDPR is actually enforced in practice. Until then being in compliance with GDPR is gonna be like herding invisible cats, and it's likely well intentioned people will get burned and OP ends up with major egg on his face within a years time. I want to drink the EU koolaid as much as the next person, but that's just naive.
I remember back in the day there was no such concept on the internet. Your identity didn't translate to anything in real world. At somepoint people started to treat it as 'real world but on the computer' instead of thinking about it totally radically new way about 'self'/'identity' ect. People thought of their internet profiles as their own self. Intenet age was killed even before it started. Endless promise of internet to free human beings was thwarted by paranoia, censorship, laws ect.
At the end of the day, I am the one person who has to answer that question/is responsible for being GDPR compliant. I've spent hours doing research, figuring out what we need to do and implementing it -- and it's a hollow victory because even though I've said yes and have 100s of articles/white papers/opinions that back up the decisions I've made, the real answer is still "I don't know".
And I absolutely know I'm not alone in this. I got GDPR compliance dropped on my lap because I did security compliance -- if you contrast NIST 800-53/800-171 against GDPR you'll see why people are pissed off. One has clear guidelines with enough room for evolving best practices written by obviously competent/experienced professionals, the other is written as basically "we'll know it when we see it".
I rather think it gets a lot of hate because it leaves a lot to the discretion of the regulators. Overall, the SMEs I talk to don't have a problem with regulating data (most think it will pop the gangrenous ad-tech bubble). It's the lack of predictability that bothers them.
So many people are pro-privacy until it affects their bottom line.
Hate? Try to think of it from a business in the US perspective that wants to know why they have to (for lack of a better way to put it) bogu to an entity that does not represent them in any way. And the fact that you might sell something or service customers in Europe does not mean you should have to answer to any rules that they setup either. Should the town that I live in and operate a web site out of be able to have rules in place and then go after citizens in the EU for not abiding by them?
And actually it's one step further since many of the procedures and rules are being taken broadly and universally even against entities (businesses and us persons) that aren't even covered by the GDPR.
And no it's not like 'oh if you want to sell a car in Europe you need to certify this and that' that is not the same thing. Why? Well for one thing the golden rule. If you want that car allowed through the port you need to do what they tell you to do or they have a right to not allow it on their land. In this case their citizens are utilizing US websites and therefore it's on them to determine if they feel the service or product they are getting is fit.
I am referring to US businesses that don't have an office or physical presence in Europe. To those that do the 'golden rule' applies.
Fantastic.
Now they sent me a message telling me that I should sign up again on their website to continue getting their messages. No thanks.
Super basic stuff.
The reason being that in the past I've picked up some really nice contracts from recruitment agencies phoning or emailing me out of the blue, so I want to remain contactable.
So, yeah. Great. Thanks for the massive proxy unsubscribe request.
It's chewed up a few weeks of active development time putting in features for purging and exporting anything that looks like it might be personal information, plus a considerable magnitude more hemming and hawing and trying to figure out if, how and to what extent the regulations apply to us, and how the customers that we sell our products interpret the regulations and what features they require for their interpretation of compliance. It's a big headache, especially where we are also dealing in industries that have conflicting data retention requirements.
If we didn't have EU-based customers with sufficient sales to justify the effort, there are a thousand and one other things that we could have better spent that time and energy on.
The WHOLE POINT of GDPR is that many companies have continually pushed PII data handling down their list of priorities. As a result, the EU has decided to step in and use a law to bring it back up the list.
I care about privacy. Perhaps Mattheij does as well, and that's why this is important to him. If you agree with the spirit of the legislation, then I think you should also consider this a great opportunity to do the right thing, instead of a hassle.
To quote the author:
> Then automate it. If you could automate the collection of the data in the first place then you definitely can automate the rest of the life cycle. There is no technical hurdle companies won’t jump through if it gets them juicy bits of data but as soon as the data needs to be removed we’re suddenly back in the stone age and some artisan with a chisel and hammer will have to jump into action to delete the records and this will take decades for even a small website. Such arguments are not made in good faith and in general make the person making them look pretty silly after all nobody ever complained about collecting data, in fact there are whole armies of programmers working hard to scrape data from public websites which is a lot more work than properly dealing with the life cycle of that data after it has been collected. So yes, it is a burden, no, the burden isn’t huge unless you expressly make it so but that’s your problem.
However, many real-life problems seemingly haven't even been considered by legislative bodies. In GDPR support forums questions like these have been routinely asked in recent months and there isn't always a clear, dependable answer:
- How will I be able to operate my small company website in the future in a legally compliant manner? Some companies even consider shutting down their websites completely and - of all things - only using a Facebook page in the future. Hence, ironically we might very will see GDPR actually benefitting companies like Facebook at the detriment of small companies that consequently won't have complete ownership of their content anymore.
- How exactly does a privacy policy have to be worded so I don't get sued on day 1?
- In which way will I still be able to store address data for contacting my existing customers?
- Will I still be able to use anti-spam and security plugins for my website? These tools might store users' IP addresses, which in some jurisdictions are considered personal data.
- Can I still load resources like Google Fonts from CDNs or do I now have to host those myself?
No-one can sue you now, that couldn't before. I'm baffled that so many people believe this. I could complain about you to my country's regulation body. Then they could decide to audit you, and for a first offense issue a warning.
If you need the address data for marketing only, and you didn't get an explicit (opt-in) yes to receive marketing, then sorry. Get that explicit opt-in yes in the next week, or delete the data.
If you need the address data for other reasons, for example fullfilling your contract with the customer, or tax records, then keep it. But _only use it for those real reasons_. No free marketing lists. Sorry.
Storing an IP for a limited time for security reasons is fine. Have rules in place for how this data is used and when it is deleted. Don't keep it longer than nessescary.
Google seems to think you can still use Fonts. They also seem to think like they will be the data controller, and not data processor, for any user data they scoop up [1]. This seems a bit weird to me. This is the only one of your questions that I'm really not sure about. If it was me, I would just host the font locally so I was sure.
1: https://github.com/google/fonts/issues/1495#issuecomment-382...
2) Any item that is not legal there will be just void in court. You cannot be sued about an invalid legal policy, but only after breaking the law. The policies do not subsume law.
About the only thing you need to publish is which data is collected, how it is processed (and by whom if outsourced), for how long (if applicable) and how to remove it.
3) Uh, as usual complying to the law for PII handling?
4) Yes, if they are GDPR compliant. Make sure to put them in you privacy policy.
5) Yes, if the source is GDPR compliant.
Maybe you shouldn't operate your company if you can't comply, then. The entire point of the GDPR is elevating privacy as a priority. If that means companies that can't or won't compy can't operate, so be it. People always claim to be pro-privacy, and that means putting privacy above commerce, in the same way that a restaurant that can't or won't meet safety and sanitation regulations shouldn't operate.
- how incentivised people are to make GDPR subject access requests of the company (how angry, confused, hostile curious they are)
- how easy it is for them to make requests (entirely manual vs. online service)
- wildcard factors (internet flash mobs bent on vengeance against a corporate)
There are also possible business models that might incentivize technology players to deliberately ramp up GDPR requests.
For example, unsuccessful candidates applying for a job at a company could forward their rejection email to a bot. The bot parses the details and fires a GDPR access request in to the HR department. The candidate gets back a formatted dump by email of all sorts of recruitment data, including interview notes, etc. There are obvious ways to monetise a service like this, hence incentive for someone to do it. Recruitment at a large company means engaging with thousands of people and then rejecting them. It is natural for people to have bruised feelings, and also to be curious about why they were not hired. A GDPR button lets them indulge their curiousity and start digging in to interview notes etc.
Naturally GDPR requests like this won't flood a company on the first day of GDPR. But the internet is a turbulent place.
https://ico.org.uk/for-organisations/guide-to-data-protectio...
Another link from 2012 describing how to handle data protection in the 1998 framework: http://www.shoosmiths.co.uk/client-resources/legal-updates/D...
Unless data is removed before end of the process and company keeps only final outcome. ;)
If your company can not show the candidates why they were not hired, you are doing a very bad job.
Are you discriminating against protected classes?
Are you rude or offensive in your comments?
Then, stop doing it. That will be a very good side-effect of this situation. Public scrutiny works. If a company needs to make public their interview notes, that notes are going to improve quality and abide to law.
> how strong any company will experience their firehose of GDPR requests to be
If you are big enough to have a big influx of GDPR, you need to automate it.
> how easy it is for them to make requests
It needs to be easy. The goal is not to let your company shield behind "sorry it is too complicated to give you the information". You need to give people easy access to their own data.
> wildcard factors
How is this difference of a Denial of service attack on the technical side? On the legal part, there are lawsuits that are going to be more effective than GDPR that starts with recommendations for improvement.
> The candidate gets back a formatted dump by email of all sorts of recruitment data, including interview notes, etc. There are obvious ways to monetise a service like this, hence incentive for someone to do it.
You only get the data about YOUR own interview. You can not hoard data this way. It works the other way around. The data protection is protecting you from the company monetizing this information without your consent. Companies are the ones hoarding YOUR personal data and creating a business around it without YOUR consent.
Your concerns are the main reason GDPR was created.
Huh. So, you’re saying a side effect of GDPR is a radical increase in recruitment/hiring transparency. As if that was a bad thing (clearly, it would be a shift in the capital/labor power assymetry in favor of labor, but I'm not seeing how that's bad.)
Interview notes would not have to be turned over to the candidate. They are personal opinion of the interviewer even if they mention the candidate. GDPR protects that data: you may not disclose it because it would violate the rights of the interviewer.
> "This post is an attempt to calm the nerves of those that feel that the(ir) world is about to come to an end"
This post is actually a single person's viewpoint, a mere speculation of how things may or may not turn out to be. Your mileage may vary.
"the GDPR has the potential to escalate to those levels but in the spirit of the good natured enforcers ..."
The author seems to have the idea that bureaucratic EU systems are inherently "good" and that even if things look bad on paper, it will be fine because they are "good" people. This is not how the legal system or legal compliance works.
Yes, we shouldn't aim to give governments power to push things to an extreme, but on the other hand we should also ensure that they have the ability to actually react to serious abuses.
In particularly in the area of data protection, I don't know of a single example where the rules have been pushed to the extreme. If anything, as a private citizen I'm disappointed there's not been stricter enforcement. As someone who has had to deal with it on the corporate side as well, it's not been hard to comply with.
Enforcement here is generally always strongly predicated on not jumping straight to the strictest possible outcome, but in carefully considering how serious a transgression is. It's not that EU systems are inherently good, but that history and practice have shown that when they give flexibility, it takes serious abuses and ill intent to end up with the strictest reactions allowed, and there'd also be little reason to assume that anyone rushing to the strictest interpretations possible wouldn't get shut down hard by the courts.
My chief concern is that this will end up being an instrument wielded by big business (through political connections) at the expense of smaller companies, especially smaller overseas competitors but also domestically. If EU-US relations continue to sour, it could also become a weapon in a hypothetical trade war, which I guess is probably one of the "benefits" from an EU government perspective.
Codifying privacy protection is important, but GDPR favors big companies and governments too strongly over already risk-burdened entrepreneurs.
* Person did not consent, they left the form blank
* Person consented, but it was not recorded
* Person actively denied consent ( wrote "no")
Honda then sent commercial email to this set of users, to "confirm" their preferences. In my view, that's not reasonable - if I leave a "would you like to receive email" item in a form blank, that is not permission to send me email.
"This e-mail was sent to those individuals on the database where no “opt in” or “opt out” information was held"
Sounds like they were basically on a fishing expedition - if the individuals hadn't explicitly opted in, Honda shouldn't be sending them emails.
I think people miss that there is a very large qualitative difference between "no law" and "law". Even a very carefully targeted law will still have the effect, on the margin, of preventing or stopping compliant activities. But in the case of something like privacy, or control of data about you, maybe that's worth it in order to stop the noncompliant activities.
On a non-hypothetical topic: does anyone have a good resource on the requirements with regard to backups? That's one of the larger technical sticking points for me - do we have to delete from our backups as well on such a request?
Because the reverse also hold: if we remove the need for driver‘s licenses for cars, more people will be able to drive.
The fallacy is IMO that many people always consider the status quo ante as the perfect balance. Because we have gotten used to driver‘s licenses.
So the argument that new regulation stifles some non-harmful behaviour is a truism, but doesn‘t really contribute anything, unless it comes with numbers.
To remove some of the uncertainty and automate some of the compliance steps, we built a data discovery AI tech that scans corporate data to answer:
* "Do we even store personal information?"
* "Where do we keep it?"
* "How do we make sure PII is consistently stored only in the designated places?"
This may seem trivial to a micro-business that runs on a handful of database tables, which I think is where the author is coming from. But for larger companies, even understanding what's where and why (backups? emails? cloud storages?) is a highly non-trivial—if ultimately rewarding—endeavour.
Also, must be nice to live in a country where the regulator is as benevolent and reasonable as is described in this article.
I think it's ok for foreigners to be skeptical of this promise, as the article implies that this reasonableness is not encoded in law.
This is the main issue with this regulation in my opinion. Some of the recent statements by EU officials on that matter verge on absolutist notions of law: "Don't worry. Authorities will be lenient and benevolent." This is how absolutist kings argued why there shouldn't be a constitution or a state under the rule of law.
Such as?
> Also, must be nice to live in a country where the regulator is as benevolent and reasonable as is described in this article.
It is, thanks.
Q: Does my business need to appoint a Data Protection Officer (DPO)?
A: DPOs must be appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data (Art. 37). If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.
The US did it recently: https://www.theguardian.com/business/2017/dec/06/oliver-schm...
I'm gonna take the advice of my employers Law department.
> The GDPR does not have this effect, but you may be interested to know that anybody can sue you or your business for whatever reason strikes their fancy. This is a direct consequence of doing business and has nothing to do with a particular law. What the GDPR allows private individuals to do is to contact their regulators and to complain if you decide to ignore their requests.
That's not exactly correct. Art. 79 of the GDPR allows people to sue directly for violations of GDPR although it's very non-specific.
What is however very interesting is article 80, which will allow a data subject to mandate a not-for-profit body to seek judicial or non-judicial remedy on his/her behalf. This will give quite a bit of power to non-profit organisations built for this purpose and will likely add quite a bit of pressure to large companies that don't comply with the law.
I’ll note that for real businesses this is just a thought excercise, but it’s one I keep coming back to. What if some less reasonable entity attempted to regulate in this way?
Other countries have already had to deal with the US on this front. If you are a US national you may find it extremely hard to get a bank account in a non-US country, for example; non-US gambling services also have to be very careful about US users (PokerStars et al) https://en.wikipedia.org/wiki/United_States_v._Scheinberg
There are also things like the Magnitsky Act and various other bits of human rights law that allow extremely serious crime and crimes against humanity to be pursued internationally.
The one we'll have to watch out for are Chinese censorship laws going global. There's already some weird side effects of "One China".
Welcome to our world :)
1. Invitation to treat: that is offering services for consumption
2. Offer to contract: fulfilling the invitation by making a contract of terms
If you drop a potential customer at step 1, e.g. having your web-server decline the connection based on GeoIP, would that not constitute reasonable effort? We don't have case law regarding GDPR yet but I would certainly argue that it shows efforts being taken to exclude EU residents.
there's a whole two hundred post debate around here whether ip are or aren't pii on their own, with the wast majority holding the wrong position.
there's a whole branch of gdpr that people aren't considering, which is not related to software but to your business (i.e. your mail calendar). you also need a privacy policy if you are receiving phone calls. did you know that?
there's a whole bunch of implication on how liable you are about holding unwanted personal information, including unwanted medical personal information i.e. "hi I saw your gazebo renting service, I'm organizing an event but I am unable to walk due a permanent disability and requiring a ramp is present to access your gazebo, is that so?"
there is a huge surface area for uncertainty, up and including 'best practices' that are a constantly shifting target.
edit: to clarify the calendar part: if you have a meeting with someone, that links an identity with a location. that's why it's an issue, even without considering the address book, which is another issue by itself.
Largely pointless. EU courts have in the past ruled that IPs are personal data because they can be tracked back to a person. End of story.
>there's a whole branch of gdpr that people aren't considering, which is not related to software but to your business (i.e. your mail calendar).
was largely already covered by the previous EU privacy law and the german privacy law. Courts largely agree that calendars for appointments are fine as long as you keep them reasonably secure and don't throw them around in public.
>you also need a privacy policy if you are receiving phone calls. did you know that?
Yes I did. I informed myself when I registered as a small business.
You mean your website needs to have a note next to your phone number saying something like "we will not record your phone calls", and if there isn't, you're liable to be fined?
THe problem is that it's a stupid question. No-one has just IP addresses, they have a mix of data. If you can combine the IP address with anything else to identify a natural person it becomes personal data.
https://www.linkedin.com/pulse/nightmare-letter-subject-acce...
Bottom line, DONT store/sell/mangle with personal data of your users unless you are able to fulfill this. I was thinking a bit about having an online store:
- make login as it is on Hacker News, you dont need email
- once user has selected and payed the goods, request sending address and contact (phone/email/whatever)
- ship it, print the requested / store into cold store (it is not that hard, you do it for bitcoins, right?), delete everything except username and password (and maybe the attached goods) from server
The described process will pass the GDPR Nightmare Letter in 10 minutes (to write a general reply) that you sent to everyone requesting.
This is what traditional "physical" stores do, not the large chains, the traditional, one employee, family store. And it works.
For everything else require consent, including tracking, but think very hard if you need anything else as it will complicate your business progressively.
I really dont understand all the fuss about the GDPR, if you explain (and prove) this to ICO, I would really like to see who will punish you for that.
The latter group say things like "this is ridiculous, they're making us change so much" but never have an answer to the fact that they're already violating PECR or the Data Protection Act.
Which is why I'm shutting down these 20 domains running HTTP/SMTP services I'm hosting in less than a week, and wait until the smoke clears.
I'm not fluent in German so I wasn't able to fully understand the situation.
There are three problems however that I have with GDPR and I’d love to hear how other small non-EU businesses are dealing with this.
First is the requirement to have EU representation (Art. 27). Since I don’t have any physical presence in the EU, GDPR requires the appointment of a representative. It would appear that a new industry has been created selling non-EU businesses GDPR representation in the EU which in my brief Google searching can cost $1000 per year or more. Are other small businesses owner out there paying for this? Or how else to deal with this requirement? Not a lawyer but this is the only part of GDPR I am tempted to ignore.
Second is the common practice of using lead magnets to collect emails for marketing. My email signup forms are very clear about marketing use, and are double opt in, and subscribers can opt out with a single click. But my research suggests that this is still not GDPR compliant unless there is an explicit consent, which I believe will reduce email signup rates. Also, while Mailchimp has a GDPR form, but it is quite large and doesn’t work embedded in web page headers, sidebars or popups. I’ve only seen one of these Mailchimp GDPR signups in the wild and they opened a new browser tab to present the hosted Mailchimp GDPR form which to me isn’t ideal. How are others handling email marketing signups? Disclosure and checkbox for consent seems a reasonable compromise but I haven’t seen this very often in the wild, at least not yet, that may change come May 25. Not a lawyer but I’m tempted to keep my current forms until I see more websites make changes.
Third, I have a medium sized mailing list (less than 10,000) mostly US based emails which is important for my business. Are people running consent campaigns (as suggested by Mailchimp?) I’m concerned that I will lose a substantial part of my list due to non-response. Again, the list is double opt in and I am very reasonable with my marketing emails. (Not a lawyer) but my thought is to segment my list into EU and non-EU customers and run a consent campaign only on EU emails. Has anyone run a consent campaign and how did it work out for you?
Any thoughts or suggestions from other small and solo business owners would be much appreciated.
It sounds like you don't value your time. In my universe (software development), time is money.
The lead magnet thing is such a good example. It’s a clear and voluntary trade-off: you can have this free resource if you join my list, from which you can unsubscribe at any point. It can obviously be done in a scammy way, but you’re clearly not doing that. But some people think you should have to provide that resource without any restriction.
Or that forcing people who already opted in to do so again is fair, because if they don’t reconfirm, then they must not have wanted to be on the list. This is like a SaaS company calling every customer periodically to ask them if they might want to cancel.
It makes no sense, but the pro-GDPR crowd on HN in particular is very hostile to marketing in general and email marketing in particular.
No one here who likes the GDPR gives a shit about your business. They’ll be happy to give you bad advice based on how they wish the world was, and if it costs you dearly, that’s not their problem and you probably deserved it anyway.
I’m doing some of the same activities as you, and I personally will be changing basically nothing for GDPR. I’ve always treated customers fairly and I’ll continue to do so. Governments that have no jurisdiction or enforcement mechanisms against my company can pound sand.
But if it required user activity to register for those lists AND you explicitly identified them as for marketing purposes, that seems like you already HAVE consent? I mean, what do you imagine consent to mean other than "an active affirmation from the user that they're ok with this". If it's indeed double opt-in AND clearly communicated, it seems you clear that bar by a mile?
Source: https://ec.europa.eu/info/law/law-topic/data-protection/refo...
1. In the same article[1] that you reference, the following paragraph might apply to your business: >27.2 The obligation laid down in paragraph 1 of this Article shall not apply to: >processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) I would ignore it for now. If any supervising authorities would contact you regarding compliance issues, talk to an expert.
2. This is if you use Consent as the legal basis for collecting the data. I have seen a few business use 6.1.f [2] (legitimate interests) as their legal basis, which has other issues like the weight test of interests not being tested in court, yet. The Article 29 Data Protection Working Party have released opinions on how 'legitimate interests' should be used [3]. However, there are other laws about marketing that could apply on a country per country basis. If you select the consent route, a double opt in with possibility to opt out at anytime that should be sufficient as long as you document the text for the opt-in's and record it together with the date&time of the opt-in. Oh, and you don't make the consent conditional on getting your goods/services. I can recommend the Article 29 WP guidelines on consent[4] for extended reading. It sounds like your current process is enough or requires very little tweaking, I would keep it as is.
3. I have not run a consent campaign. I have run information campaigns about our users rights with links to required documentation and they have been appreciated. I would not run a consent campaign as I believe your consent should be good enough based on the process mentioned above.
Hope this helps! - [1] https://gdpr-info.eu/art-27-gdpr/ [2] https://gdpr-info.eu/art-6-gdpr/ [3] http://ec.europa.eu/justice/article-29/documentation/opinion... [4] https://iapp.org/media/pdf/resource_center/20180416_Article2...
So it all depends.
> What the GDPR allows private individuals to do is to contact their regulators and to complain if you decide to ignore their requests.
The individual will not receive a payout from a GDPR violation.
I've had zero profit from user data so far - to the contrary. If everyone could be billed just with some cryptocurrency, totally anonymous, that would be great.
Part of making good backups is knowing that the backup can't change. The only solution now is to add paths to go back and modify those backups to remove customer data when asked too.
That is my plight anyways.
* Y2K
* Dot Com hysteria
* Dot Com crash hysteria
* AWS outages
* Will robots replace us ?
* Will Microsoft crush me ?
* Will Google crush me ?
* I just raised £30M series A, where my Aeron at
* Nosql means I can throw away everything I knew about databases
* Web first
* Mobile first
* XML everywhere
* OO everywhere
* Javascript everywhere
* AI everywhere
Where is the evidence for rational behaviour ?
(f) the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement
If an authority did not go this way any fine could be voided by an appeal.
[0] http://data.consilium.europa.eu/doc/document/ST-5419-2016-IN...
If you’re posting users information to a public repo, then you fully deserve whatever impacts you’ll face when you have to delete it.
He's right that the DPD was not well-adhered to, though.
One critical change in the GDPR is the mandatory reporting of significant breaches. Before, it was entirely optional, so reports could come out years after the even once the material surfaced online.
Typical, simplified, workflow (varies):
1) Review what data you collect and why
2) Document these in an updated privacy policy along with third parties you share data with and why
3) Update all forms on your site collecting personal information
4) Update your cookie policy and the way you handle cookies, for some of these you might need consent, for some there might be exemptions
5) If you expect this to be an issue, set up automated means of handling requests pertaining to data subject rights, otherwise process them as they come via email
While some smaller sites are getting around the need for an EU rep by claiming that they are only processing data occasionally and not on a large scale (whatever that means, as it's not defined by the GDPR) there is a big problem with getting an EU rep, because as opposed to a DPO, which doesn't have liability, your EU representative "should be subject to enforcement proceedings in the event of non-compliance by the controller or processor." making that natural or legal person liable, so you won't be able to easily outsource this.
If you have set up shop in the EU, then it's pretty easy to handle the aspect of an EU rep. Also, if you're transferring data between your EU and US offices/datacenters, you can self-certify under the privacy shield, starting from ~$250 per year to not have to deal with binding corporate rules or standard contractual causes, so that you can effectively make these transfers "safe" under the GDPR, along with various technical safeguards, of course.
Interesting: I have a number of anti-GDPR comments here and on last night’s GDPR thread that got upvotes last night US-time, heavily downvoted throughout the night, and are now going back up :)
Imagine a global paparazzi law banning photos of celebrities from being published without explicit consent.
Celebrities would be happy. Paparazzis and magazine readers not so much.
Hey, from my viewpoint the rabidly anti-GDPR crowd is from the US :p
But are you doing business abroad, just because you're on the internet?
Is it not the customer who is coming to you to to do their business abroad, while you do your business in the country you live in?
Coming next is a global compliance nightmare. If you want to sell globally, you'll have to comply with dozens of unique local approaches. Small businesses won't stand a chance of being able to deal with that. An army of fee charging middle-men will spring up offering solutions, extracting fees accordingly.
Why don't you tell us how you really feel?
The same way judges can throw out a case without going to trial. Checking if the complaint makes sense, if it represents an actual violation as described, etc. Anyone dealing with the public knows that a huge chunk of the complaints don't even pass that bar.
>> Yes.
> Can you tell me their email address?
>> No.
Today I've been asked by a library of "Junta de Anadalucia - Spain" to accept it's terms and conditions to use the wifi internet connection provided for it's users and it's a clear violation of the GDPR by a government body, basically they're asking for a blank check to do whatever they want without boring to ask/inform the user.
Translation by translate.google:
====
The Telecommunications Corporate Network of the Junta de Andalucía reserves the right to monitor and collect information while the user is connected to the Service. This information can be used at the discretion of the Telecommunications Corporate Network of the Junta de Andalucía and can even be shared with the State Security Bodies, their associates or suppliers.
Likewise, the Telecommunications Corporate Network of the Junta de Andalucía reserves the right to revise this agreement at any time.
The user must accept the General Conditions of Access each time they use the service and, it is your responsibility to review it each time the Service is accessed in case there has been any change.
The Telecommunications Corporate Network of the Junta de Andalucía, reserves the right to withdraw the Service, modify the specifications or forms of use thereof, as well as change access codes, users, passwords and other security elements necessary to access the Service . IF YOU DO NOT AGREE TO THESE TERMS, INCLUDING ANY MODIFICATIONS, DO NOT ACCESS OR USE THIS SERVICE.
====
> The GDPR is going to expose me to fines of up to 20 million Euros for even the slightest transgression
> No, the GDPR has the potential to escalate to those levels but in the spirit of the good natured enforcers at the various data protection agencies in Europe they will first warn you with a notice that you are not in compliance with the law, give you some period of time to become compliant and will - if you ignore them - fine you. That fine will be proportional to the transgression. You can of course ignore the fine and then ‘all bets are off’ but if you pay the fine and become compliant you can consider the matter closed.
What if you get warned and decide at that point to just shut the site/app/business/project down?
Or is it the case that once you begin operating under the GDPR era, you'll have to handle those "good natured" enforcement warnings, delete data, etc?
I get that I'm probably compliant, and probably wouldn't have any complaints against me. I just don't know if it's worth waiting it out to see if there's an issue, or if now is my only chance to easily not deal with it by just blocking EU users.
My take on GDPR compliance from a solo developer perspective without a legal team to back him up.
Why should this be your headache? It's collected by Google, not you.
> Note that the 20 million Euros or 4% of global turnover is the maximum fine, the specific language is ‘a fine up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater’, so that’s the maximum of the fine that’s being set by the 20 million or the 4%, and this bit is there to ensure that even the likes of Facebook and Google will not simply ignore the law and pay the fine to be able to continue as they have so far. This in no way should be read as you, the small business operator will face a fine of 20 million for each and every infraction that could be found.
Saying that this is intended to be aimed at the Facebooks and Googles is all well and good, but that's covered by the "4%" criterion. The €20 million figure is aimed at companies that have a global turnover of less than €500M, not the Googles and Facebooks. That's why it's scary.
Google fonts is just one of the many font libraries. For example, most web font licenses at myfonts.com don't permit webmasters to self host them. Bypassing the HTTP referer download protection, downloading them and then self hosting the font files could lead to significant legal problems.
> Well, this website is fully compliant with the law, so at least in this particular case it seems to work. Why? Because I don’t store any information about you. That’s a conscious choice on my part which I made long before the GDPR was even talked about in public. But if your situation is more complex then you too can be compliant, or at least - and this is key - you could try to be compliant. For instance, one oft heard argument is that no webserver (or even any internet service) is going be able to be compliant because all web servers log IP addresses, and IP addresses are PII. But that argument does not hold water. There are several reasons for that, the major ones being: webservers only log IP addresses if you configure them to do so. Almost all webservers have a formatting option that determines what exactly is logged and you could configure your webserver to not log the whole address but just the network portion. You also have the option to log the address and to disclose that you do so in your privacy policy, but then you will have to allow for the removal of that data on request, which you may find burdensome (or not, that depends on the volume of such requests). Finally, you may have a legitimate reason to log the IP address, provided you delete it after you are done with whatever use you collected it for in the first place. There is enough room in the GDPR to hold on to the address for 30 days with a possible extension of another 60 days after which an automated reply to the user can tell them their IP address was purged and you’d be in compliance. That’s one of the reasons why I think the GDPR is a surprisingly good law, most of the times when legislation is written that impacts technology the end result is absolutely unworkable, in this case most scenarios seem to work well for all parties involved.
That's thoroughly good advice. Panic reduces efficiency and the capability to react rationally.
>Becoming compliant with this law will cause my business to go under
>If becoming compliant with the law will cause your business to go under that is more or less the same as saying that your business is built on gross privacy violations. So if that’s your busines model then good riddance to you and your company
Hmm, I would nitpick on that, Google Adsense has been ass about getting GDPR compliant, they don't offer any method of serving ads without storing consent including their tracking-free ads. This is not something that affects me personally but I know people running larger websites that rely entirely on ad revenue (premium model is hard since they drive visitors with UGC, most people don't have an account, they don't want to paywall anything or ask money from the people that drive traffic). The site itself is already fully compliant and with exception of very minor changes (minimum age 13 -> 16, adding a "download everything" button) was compliant in the past.
I blame Adsense on that one, not GDPR though. The ad industry has to adapt, pushing the work on the website operators won't help and is not appropriate. IMO Adsense should either offer a fully consent-free ad experience in compliance with the GDPR or operate the consent dialog for the website owner in a non-intrusive manner.
Maybe this means there will be an opening for a GDPR-compliant adnetwork in Europe
You cannot store a users personal data like IP
or cookie id unless you have consent from the user.
Smaller companies seem to think GDPR is something they can fix by changing the legalese in their impressum and privacy policy. "Yet another trip to the impressum generator".
Bigger companies seem to pretend they misunderstand the GDPR. I got emails and popups from Facebook, Twitter, Instagram etc informing me about all kinds of nonsense about how they changed their policies and asking me all kinds of unrelated questions about what kind of ads I want to see.
Not a single company asked me for permission to store my personal data.
This isn't true; there's a list of reasons you can keep information and "with consent" is one of them, "legitimate business need" another: https://ico.org.uk/for-organisations/guide-to-the-general-da...
But: "However, an individual always has the right to object to processing for the purposes of direct marketing, whatever lawful basis applies."
So: you can store IP addresses as part of your information security needs, but not turn round and use them for direct marketing. (I'm not sure if web advertising counts as "direct marketing" here)
This isn't right. Consent is just one of six legal bases through which you can lawfully process data under GDPR.
https://ico.org.uk/for-organisations/guide-to-the-general-da...
If you're talking about tracking cookies from an ad company, you better mention them in the privacy policy.
That’s not true. Apache and Nginx default logs IPs. Maybe OP should check his Nginx logs.
Thank you, random stranger on the Internet! However, that is not the law. And even if you are right? As I posted yesterday, half of the employers in the USA has 1-4 employees and make $387,200 on average yearly. Even if they get fined to 1% of the maximum, they are completely wiped out. So no, it's not hysteria, it's plain business sense for them to slap an IP ban on it and move on.
I will never pay the EU "internet transgression fees", no matter how well intentioned they are. Full Stop.
What I think is a big problem this stuff about requiring consent. This is a big issue at the moment for website owners and app developers who have on line advertising from vendors such as Google (Admob/Adsense) and use e.g. Google Analytics for development support. These guys do not record individual user details and have no interest in doing so.
Specifically for such people there is an issue where personalised advertising (according to to Google and others) needs an opt in, fine but for app developers and web site owners they don't have any user details other that maybe ip address so if they put up a pop-up and record consent how do they know who the user is if they don’t have any other users info.
This is leading to absurd discussions re for example Google Analytics used by millions of websites and apps. There is something called client id which GA uses to identify unique "users” or website visitors. Now apparently as it is unique this is personal data so should require consent according to some experts I have read. But as it anonymous how can it be identified who it “is”. If a user demands to know what data a website/app has and mentions the client id info well who knows for sure what any client id represents in the real world ?
More to the point what is the likely legal/financial consequence if a user claims that the website id did not ask for consent for this client id to be recorded (how would they be able to prove which one it was that was theirs anyway) ?
Would they be able to sue ? I presume not. So is the IC going to be interested in this apparent breach ? And if the developer/website owner had a data breach where they GA account was compromised would they have to inform all the Client ID individuals ? Again obviously not but you see how these discussions are going !
See Google vs Oracle. Apple vs Google.
That’s the best way to ensure EU will never have a decent startup scene.
Any suggestions?
Serving a webpage is not doing business though.
That's what is at jeopardy here and nobody is willing to just say it.
Don't agree with the concept of tracking users to serve them ads? Great, make the case that GDPR ends the scourge of advertising subsidized applications as services.
Let's not ignore it though. The reality is, a lot of internet companies that consumers use and like, rely on either selling advertisers access to their market or sell user contact data outright, because there is no other way to make money.
If the argument is that this is an unethical and harmful way to keep services alive then we need to agree that the bulk of the last 20 years of startups business models are broken and what the implications for future internet business models are.
I agree.
If a startup is build on selling my data, I am more willing to pay a fee then to have them sell my data.
If we could go back to WhatsApp having a fee instead of Facebook using and selling my (meta)data, I would switch anytime. If Telegram starts raising a fee for using their messenger without anybody reading my messenges/location/... I am all in.
Here's a fun little example of this: If one of your parents was a British citizen, then you're a British citizen 'by descent'—not merely eligible to become a British citizen after you fill out a form, you're an automatic British citizen by default unless you renounce your citizenship. (This has caught out at least one member of the Australian parliament, where dual citizens aren't allowed to serve.) This means that you can have someone who's an EU citizen (for the time being, at least), who doesn't live in the EU, has never set foot on EU soil, and maybe isn't even aware that they're an EU citizen themselves.
I thought one of the objective of EU is to make US social media pay their fair share. Citing same article:
> European holdings or that use the EU to avoid paying taxes rightly worry about this particular aspect
So, what is it?
"The law has been in effect for over two years at this point, and the DPD, the European Data Protection Directive has been in effect for over two decades. So no, this law was not sprung on anybody, though it is very well possible that you only became aware of it a few weeks or months (or days?) ago. If that’s the case do not panic, you too will most likely be fine."
Nevermind the fact that the underlying privacy laws are much older, and so many practices were already essentially illegal but went unchallenged so far.
So what's this whole thing that's going to happen soon? It's going into double effect or something?
Now that we have a single law for a 500 million customer market with a substantial fine, things start to shift to the better.
Is this serious? Why would we assume enforcers to be good natured if they benefit from fines. Or to assume they would stay good natured, even if you have the most perfect humans there now.
It's far more likely that the EU is creating tools to prevent disruption and manipulate markets. The template will likely be followed elsewhere, effectively elevating the state's data collection abilities over all other organizations.
Note, Bitcoin does not seem compatible with their laws.
There are a lot of people making money by providing GDPR-compliant-solutions. To avoid this, all that had to be done was to write a clear text with everything everyone had to do to be compliant, instead of pilling up some big and dubious words that no one really knows what they mean.
Concerning the law itself, it's a lot of fireworks. Give it a few months and no one will care about it again.
Wait, or is it EU residents and not just citizens? Be sure to get that correct.
Enjoy.
As this is top of HN, perhaps there is a good chance he will read this because of the his FB staff who read this and can't resist telling him? :)
My vocabulary has been enriched with a new word: PII. I like it. It simplifies when thinking about GDPR. I expect one or two years from now I'll know the important parts of GDPR like the back of my hand.
But right now every person in the world running a multinational company needs to understand a new piece of legislature that threatens 4% of their annual revenue. You have better things to do and so I understand everyone's anger.
But is it wrong to force business-runners to learn about GDPR, stuff that's pretty close to human rights, like "don't track any of my PII without telling me exactly what you plan to do with it"? Is it wrong to now have to learn this, as a web/app developer?
I'm sooooo sick of being tracked. It has definitely made me exit the social media world all together, six months ago. Even though it is detrimental to my career I even asked Linkedin to erase my data. I truly hope my career isn't screwed just because I refused to give Microsoft a detailed description of 30% of my person, my whole work life that they can connect to an email address (some people even give them their phone number), IP, tracking cookie, thus a Facebook profile, real or shadow, thus to the most detailed graph of PII there is, probably in the whole universe. Hopefully in the whole universe otherwise civilizations on other planets took a wrong step somewhere.
I hope GDPR leads to PII being treated as gold by the market because it's so rare. Because isnt' it better to skip all this tracking-business that having to deal withstuff like GDPR?
No cookies for me please. Ans I'm also sick of having to run javascript.
So, yes, but maybe no?
This whole sequence was sparked through a discussion about the GDPR on HN a few weeks ago and I've been working on it off-and-on hoping to get it done before the law becomes enforceable.
What are some methods for doing this? (aside from asking for birthdate, which is far from fool proof)
Typo: "food safety laws" is listed twice in the bullet points for the lemonade stand.
Hear hear!
wrong.
if everyone always followed the laws, earth would still be considered flat (at least until more recently).
1. Many people (even "rational hacker-types" ha-ha!) do not take the time to research, analyze or understand the regulations and laws that affect them.
2. Many people, even though they don't understand said regulations, will have an extreme negative reaction to the new regulation especially when they see big scary numbers like numbers like "$20M Euro". This is true even of regulations like the GDPR which most anybody should be able to read and understand in a couple of hours.
3. Many people don't understand where regulations come from or how they work. They have no understanding of scope, process, judegement criteria or enforcement vectors. This leads to terrifying visions of "EU cops" waiting at airports to arrest people the moment they get off the plane.
Frankly, the whole situation speaks to the profound ignorance and fear that lies at the heart of the modern nation state. Citizens do not understand the government, they have no understanding of how or why it does what it does, all they really understand is that the government can and will completely ruin them should they violate one the tens of thousands of laws and rules and regulations and decrees that modern governments impose on their domains.
This ignorance has real consequences and costs. You can see this now particularly in Britain where many people are now learning how their country actually works after voting to tear down their current regulatory and economic framework. But you can also see it in all the fear and the moaning and the teeth gnashing every time some new regulation is proposed. (The funny thing here is that even the most hardcore libertarian economists are coming to understand that regulation does not impede economic growth [1]. Indeed there's ample evidence that regulation, by imposing best practices on firms and increasing trust within the market, is a significant driver of economic growth.)
The reason I point this out on HN is because I think, at the end of the day, being an entrepreneur or an investor is all about learning how the world really works and then changing the world to work for you. And while most people can perhaps afford to plod along with all sorts of misguided notions about how the world works because their jobs do not require them to have any real understanding of the big picture, entrepeneurs and investors absolutely cannot. Buffet says it best: "Risk is not knowing what you're doing." The sites shutting down in the face of the GDPR out of fear and ignorance are making the most basic mistake, they literally do not know what they're doing.
[1] https://marginalrevolution.com/marginalrevolution/2018/02/fe...
For instance, I run a small community website (~30 people). I receive no income, and I know everyone involved. Everyone is in the United States. Is it open to the world? Yes, technically. What happens when an EU resident signs up? Well, I'll continue to do exactly the way things are currently set up.
How does this situation play out long term? First, I'll tell whomever contacts me that I am in compliance with US law, and I'm a US citizen. I do not have to follow their laws because it's not within my jurisdiction. Second, they will order me to block EU citizens from my site, which I will not do because it's a mandate of work on me for no reason by a foreign country.
So what happens in this situation? The only recourse for the EU is the internet version of "sanctions", to block my website from the EU.
Now they've set a really interesting precedent. How do they now enforce these blocks? Technical issues aside, are they going to do a whitelist or a blacklist? Regardless, they are setting up the equivalent of the Great Firewall for the purposes of maintaining the GDPR.
So why does this matter? It's only an isolated incident that will likely never occur, right?
Wrong. One community website like mine with one EU citizen that decides to file a GDPR complaint means that somehow this situation occurs. It can even be an intentional, "sign up, file complaint" immediately to trigger this legal situation. Think there aren't any foreign governments that wouldn't flood a system like this to censor the EU citizens in various mild ways? Think some random anarchist activist will not decide to monkey with the system by finding and reporting all the small violators?
The end product is a curation of the internet for EU citizens by EU government. Hopefully your leaders are benevolent, and nothing crazy happens in the democratic process. I remember being told during the Bush and Obama administrations that my views against government surveillance due to potential for abuse were unjustified because we could never have a horrible president and that our presidents will always be benevolent, so the policy would never change toward the worse. How did that play out? How do people think democracy functions, honestly?
Again, I really don't care too much. They can self censor if they want, but it really seems like GDPR is a win for Russian and Chinese meddling.