Am I reading this wrong? If the college student creates just a simple page, he/she is already complaint with GDPR.
If the student starts collecting personal information, then they need to know what's allowed or not. There are already things that are not legal to do, GDPR just adds private information into that.
The treatment of privacy is one of issues where it's pretty much impossible for individual protect from, GDPR tilts the scale in favor of individuals.
I can easily see small websites just ignoring GDPR and hoping they fly under the radar. Or, using something like this Cloudflare configuration to block all EU users until they reach a size where achieving GDPR compliance is feasible and worth the effort.
DPO is only needed in specific cases. Dank meme sites don't fit in any of: a) public authority b) monitoring subjects on large scale c) dealing with criminal conviction data.
> build a system to get user consent
It's called a checkbox. They likely use one to agree to TOS anyway. If you don't have that one, DMCA and COPA is what you should be worried about before GDPR. (If you're based on the US anyway)
However, nowhere does it actually specify what sort of scale constitutes "large". I don't see any user count threshholds or anything like that.
Also, it's possible that someone's list of authored memes is personal data. If somebody creates a lot of political memes then this could easily be covered by article 9, since political affiliation is explicitly covered there.
Additionally just saying "have a checkbox" isn't going to cut it. GDPR forbids blanket opt in or opt out schemes. You would have to build a system to track what the user has consented to and refactor all features to abide by each user's consent configuration.
I'm not saying every these tasks are hugely onerous - just that I can see the use case for blocking EU traffic to avoid having to abide by their regulations.
No, because that website doesn’t collect personal information.
> and build a system to get user consent, etc.
You need user consent to send emails or do something with their personal information (i.e. nothing since you don’t hold that information).
Yes it does. It a least records an email address and password to create profiles. And any features like tagging memes, marking memes as favorites, etc. could be argued to constitue personal data.
> You need user consent to send emails or do something with their personal information (i.e. nothing since you don’t hold that information).
Again, I specified a meme generator site that has at least some user specific personalization.
Themselves
> build a system to purge user data
SELECT * from users, memes, usermemes where userid = #####
You sign up for a website and upload and share a bunch of memes.... honestly... the shit isn't really your data anymore. It is the publics. You shared it and yanking it back is kind of a dick move.
It really isn't as "simple" as a DELETE statement that some people argue it is.
This is my plan. What are they going to do, extradite me over claims that my access logs includes IP addresses? Claim that I do business in the EU when I don't take payments, every side project I've made is in English, and I've never set foot there?
For normal operation system logging is pretty much a requirement for essential operation. That includes most properties of a connection like IP, UA, date, time, URI etc.
Do you disagree with this TLDR of the regulation?
https://www.smartsurvey.co.uk/articles/gdpr-compliant-with-d...
Without a bunch of work that hasn't been done I seriously doubt that they can give Right to Access, Right to be Forgotten, Data Portability, Privacy of Design and it does clearly state it is Personal Data.
It's called software cause it can be changed easily.
