Exactly. People try to explain to me how it is impossible to comply and usually it turns out that it would be easy. I think the problem most of time that people misunderstanding the requirements or not reading GDPR (not even TLDR versions).
It is easy if they believe particular person's interpretation. But that doesn't mean they are right. People have huge problems with interpreting written word if it is not written without a room for interpretation and if you add to the mix bureaucrats that have targets to meet you'll see it will not be easy at all.
Am in EU, am involved in some compliance stuff and have talked to plenty others at other companies, and it really does seem to be a nothing-to-see-here for all companies except the sleezy ones.
In all of my research, talking to lawyers, and seminars on GDPR, it is about:
1. Ask permission for collecting data
2. Keep sensitive data safe
3. Restrict access to said data
4. Keep a log of what happens with the data
5. Delete it upon request
6. Have all of the above documented and adhere to the protocol.
It's such a none issue unless you're relying on the very thing GDPR is designed to combat. If you not collecting and selling peoples data, and you don't do the above already, see this as a good opportunity to do what you should have been doing all along. There is such an awareness now, that it's the easiest it has ever been to know how to handle sensitive data properly.
Completely agree with everything you list, and would add that 6. you can't force a user to give up privacy in order to get some other benefit, e.g. you can't offer to unlock some feature in return for more tracking
Example:
How do you ask user for a permission to log access logs (which contain IP address) in the server, so that you can detect spam, ddos and other attacks? How do you store that consent information and what do you do if user doesn't consent?
What do you do if user connecting from given IP address wants you to send him data you have collected about him. If people share IP addresses how do you know which log data is about which person?
Some entity runs a webserver. This entity has a legitimate business purpose in retaining access logs for e.g. 3 months for e.g. spam and security reasons. This entity just has to document that.
This entity can allow a 3rd party service to access these logs so that 3rd party can do whatever needs to be done if it is within the reasons the entity gave for having the data.
What neither can do is go use that data for anything other than the said purposes.
And if the given reasons are gratuitous and somehow the regulators notice, expect to get a nastygram and have to comply or face fines.
Basically what you can't do is collect data for longer than you have a legitimate need for, or cash-in and sell data you've collected. Basically, all said and done, just don't be sleezy and you'll be ok.
Who defines what is a legitimate business purpose?
Let's say I comply with all that, but someone makes a complaint and particularly bitter civil servant judges that the collection is not legitimate, because he doesn't like the content of the website?
That’s like arguing that we shouldn’t have laws in case a cop is having a bad day and follows you around writing tickets. This is a legal process like anything else: your standard should be what you’re comfortable defending in court. Being able to show a good faith decision process, compliance with common industry practice, etc. are going to help the case that any lapse was unintentional.
If your angry ex is hired by a regulator you’d appeal it but there’s no reason to think that’s a common problem.
But appeal might take forever and by the time it is resolved you file for bankruptcy because the fine ruined the cash flow. I've seen in it many times in the EU, for example in Poland. Civil servants are immune from taking responsibility and if you manage to get any compensation you'll find yourself spending years in courts.
> Processing shall be lawful only if and to the extent that at least one of the following applies:
Consent is one:
> the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
Here are all the others (see especially the last one):
> processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
> processing is necessary for compliance with a legal obligation to which the controller is subject;
> processing is necessary in order to protect the vital interests of the data subject or of another natural person;
> processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
> processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
And even (1) isn't always needed. There are several justifications for processing personal data, and permission is only one of them. (Although for compliance it is the easiest)
Is there even a single thing forbidden under GDPR that wasn't already forbidden before in at least half a dozen member states? In that case, it makes everything easier except for ignoring requirements.
I'm not certain about the other memberstates but to my knowledge the privacy law hasn't changed that much. There is a good increase in the amount of generating an audit log of any privacy sensitive stuff you do and of course the various "Right to be *" variants but those are largely non-issues.
German courts already considered a EULA or "check box to consent and get thing" a non-binding consent (to some extend).
Largely, if you are running afoul the GDPR in germany there is basically two options A) you rely on adsense a lot and B) you ran afoul the previous laws already.
So, overall, I would say that yeah, most of the stuff forbidden by the GDPR was already forbidden. The GDPR grants you new rights and requires corporations to ensure compliance however, that's new.
Plus the teeth in form of pretty hefty fine limits. Which is good IMO.
The only person who’s opinion you should worry about is your internal legal counsel’s. The nerds who try to carry on like this is a technical problem with a technical solution are so far off. It’s about beig able to argue and justify your interpretation - not how much you have gold plated your tech stack
That doesn't have to be in money raised, that would be rather unlikely in this case.
It could be percentage of problems "fixed" whether that be by sharply worded letter or by court proceedings (the former is far easier and cheaper for the authority), or by the time it takes the authority to investigate a problem.
You don't know that, depending how mad is the person in charge. Take into account that it might be good for a couple of years but the power it gives might be tempting to shut down sites that are against EU agenda.
There is no "TLDR" of the GDPR. It has to all be read, understood and complied with. This is basic legal compliance, and is not at all easy for a small business.
And if you are a small/medium business, don't comply and somehow are reported, you will receive an email from the regalutory instance of the country the person who reported you come from. They will tell you what is wrong and point you to some articles who can give you advices on how to comply. If you have difficulty to do so, you can contact them and ask specific advices, they will respond (probably a bit late) and as long as you comply with the RGPD within a month after that, you're good.
Audit can take some time and have a real impact on your business though, so i'm not saying everything is perfect. But to me, audit is the only thing you have to be really afraid of, not fines.
Yes, and it is not that hard a read. The only problems people seem to be having are in trying to finesse the rules to avoid looking after data with due diligence. If you really want to look after data, then you just need to do that, and you will be compliant.
