undefined | Better HN

0 pointsphiresky7y ago0 comments

You can keep storing an identifier (like email address) without any problems if you have a reason (like to blacklist them)

0 comments

4 comments · 1 top-level

imhoguy7y ago· 3 in thread

IANAL. I think you can't store raw email without user consent. It is personal data one wants to be forgotten. However you can keep pseudonymised data [0] [1]. E.g. just keep MD5/SHA hash of the email string.

[0] https://en.m.wikipedia.org/wiki/Pseudonymization

[1] https://www.protegrity.com/pseudonymization-vs-anonymization...

dangrossman7y ago

Your right to be forgotten is not absolute, but instead balanced against the business's interests: you can process personal data without consent when you have a legitimate interest in doing so. Recital 47 of the GDPR states: "the processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned". Storing a hash is likely a better practice for mitigating the damage of a data breach, though you have to process the raw email to get and compare hashes either way.

duxup7y ago

Hopefully that means you could keep some data like an email address that is key to creating an account to prevent abuses or duplication or other things.

DanBC7y ago

Which bit of GDPR do you think forces you to get permission to store raw email address?

j / k navigate · click thread line to collapse