undefined | Better HN

0 pointspyrale3y ago0 comments

> This makes it very difficult to comply.

It is really not hard at all to comply with GDPR. Don't collect private informations you don't need, and don't share them.

Now what's hard is to build a system that complies with GDPR's letter _and_ breaks GDPR's intent. And you know what? That's intended.

0 comments

LegionMammal9783y ago

> It is really not hard at all to comply with GDPR. Don't collect private informations you don't need, and don't share them.

The problem is, not all personal data corresponds to the intuitive notion of "private informations". For instance, I, as a U.S. citizen, would be violating the GDPR if I operated a dumb HTTP server that stores request logs indefinitely and does no other processing, such as "python3 -m http.server". (IP addresses are personal data, and U.S. authorities can make me turn over my logs; thus, I cannot store the logs for however long I want.)

Kalium3y ago

Can you define "private informations" and "need" in unambiguous ways, please? In my experience it's shockingly hard to do so once you get beyond the basics.

Even when you have clear legal obligations to collect a bunch of private data, you still have to figure what reasonable measures to protect it are. What's a reasonable measure when you're obligated to keep seven years of financial records about your customers in a way that lets you produce ready reports for regulators? Complete with mandatory personal identifiers for tax purposes?

robin_reala3y ago

I’m not sure what you mean with your second point. A legal need to collect and process personal data is a valid GDPR basis. You don’t need to get consent there.

Kalium3y ago

You don't, but obligations under GDPR include taking "reasonable measures" to protect the private information you're obligated to collect. The point I was making is that this underscores is how difficult it is to define "reasonable measures" because not collecting private information is not always an option.

GDPR is not just about being obligated to ask for consent. Its requirements go a great deal further. Probably. Maybe. Depending on what someone unknown with an unknown background considers reasonable based on unknown factors.

I'm sure that will be easy to write requirements around. Right?

j / k navigate · click thread line to collapse

0 comments

LegionMammal9783y ago

> It is really not hard at all to comply with GDPR. Don't collect private informations you don't need, and don't share them.

Kalium3y ago

Can you define "private informations" and "need" in unambiguous ways, please? In my experience it's shockingly hard to do so once you get beyond the basics.

robin_reala3y ago

I’m not sure what you mean with your second point. A legal need to collect and process personal data is a valid GDPR basis. You don’t need to get consent there.

Kalium3y ago

I'm sure that will be easy to write requirements around. Right?

j / k navigate · click thread line to collapse