[reynoldsbd]

Definitely not true. GDPR significantly broadens the types of data subject to legal requirements. Whereas yesterday I only had to protect PII and content, now even telemetry and performance data becomes subject to new rules.

This is a huge problem for an org that relies on huge amounts of such data to keep our product running and uses systems which were never built with these new rules and classifications in mind.

Furthermore, there are huge complications surrounding "data processor" scenarios (in other words, Enterprise SaaS products). For example, what takes precedence, GDPR deletion or our contractual security/auditing obligations?

Again, I'm not saying that any of this isn't worth while, just that when you get down into the weeds things look a little different.

[grabeh]

I think the main issue that I see is that whilst GDPR doesn't massively expand the scope of what is personal data beyond that under existing data protection law, it does expand the territorial reach of data protection law.

US companies who previously had the narrow scope of PII to handle, now have to consider the much broader scope of 'personal data'. I am sure that for lots of US companies providing services to EU citizens/residents that will definitely represent a substantial burden.

Even for EU companies, the reality is that many will have previously taken a view that the size of potential fines was not high enough to warrant giving certain matters that much attention or at least spend money on areas they considered more important. For example, if I have a choice between implementing additional security measures to protect my network versus building functionality to delete on command, many companies will have gone with the former.

On retention, my view is that if you consider it necessary to retain information for purposes of auditing/security, and have made that clear in your contract with the client (who would then should make that clear in their privacy notice if they don't already have a general caveat around that), then the right to delete under Art 17 does not kick in because Art 17(1)(a) is not engaged. Also, dependent on the grounds on which you are looking to retain Art 17(3) gives a controller a clear ground to retain.

Also the right to erasure is one that will generally be directed at the controller. The controller would then flow down that request to a processor but that is where the contractual protections would come in, which in my experience, most clients are generally willing to accept.