Hacker News new | ask | show | jobs
by jmickey 3055 days ago
In essence the GDPR requires you to be accountable about all personal data you collect and use in your daily operations.

Compiling a list of all personal data currently located in your systems and making sure you have a legal basis for each item, goes a long way towards compliance (though of course this is not all you need to do)
1 comments
NicoJuicy 3055 days ago
So, let's say:

- WooCommerce on url xxx: phone number, email,name & address. Google Analytics & facebook Pixel. Requirement for e-commerce fullfillment and analysing website performance / ad performance.

- Mailchimp : email and name, when accepting WooCommerce "Terms and conditions" n°2. Requirement for recurring ecommerce updates/changes of new products.

- OpenERP: ( invoicing - local network) - Firstname, lastname, address, email, phone, orders. Requirement for invoicing

Somehow i can't believe that would be sufficient.

link
jmickey 3055 days ago
It can get tricky. Analysing web performance is not a direct requirement to fulfill orders, so you would need an explicit opt-in from your customers that lets them agree to their personal data being used in this way.

With Mailchimp you probably need to let your customers separately opt into their e-mail being used for marketing purposes, as again that use is not strictly required to fulfil their order.

Same with any other information - your customers need to be aware of all the ways you will use their data. If any uses are not covered by a legal agreement, there needs to be an option to opt-in.

link
NicoJuicy 3055 days ago
Analysing performance is a requirement for more sales.
link
ryanwaggoner 3055 days ago
It’s not. GDPR is so overly broad that it’s almost impossible to be in full compliance. Not only does it count IP addresses as personal information, but it covers all EU residents, apparently no matter where they are in the world, even if you have no way of knowing they’re EU residents.

I really doubt most small-medium businesses without ties to the EU are going to pay any attention. Just like VAT actually.

link
jmickey 3055 days ago
Mind you an IP address is personal data only if it identifies an individual. Same goes with any other information.
link
ryanwaggoner 3055 days ago
That’s not what I’ve seen from my admittedly cursory research, but I don’t see how that matters anyway: how would you know if the IP address could personally identify an individual, so it seems like you would have to assume that it could?
link