[Silhouette]

You keep mentioning how you're consulting on this issue at the moment and claiming that those of us more cautious than you just don't understand how European law works. Would you mind sharing a little more to justify that authority -- what qualifications do you have that we don't, what sorts of business are you consulting with and how much is compliance (including your advice) costing them, and why is your interpretation of the GDPR reliable in cases where a literal reading either clearly contradicts you or contains significant ambiguity that you imply doesn't matter?

[geocar]

Hi Silhouette,

I'm not claiming anyone more cautious than me doesn't understand how European law works. That's just silly.

I also don't know what qualifications I have that you don't. What qualifications do you have?

The sorts of business I am consulting to are sales and marketing agencies based in the US. As an SME I work with their in-house council to help them understand what the business is doing. I also help define process designed to make compliance obvious and transparent surrounding areas of my expertise.

I have no idea how much compliance is costing them. I don't know if they look at it this way.

Your last "question" consists of some more straw man and a little too much hand-waving: By all means, feel free to point to any contradiction with a specific recital and I can try to address it. If you have another source who claims to be an expert, I can also try to explain why I may have a different opinion than them.

[Silhouette]

First of all, please let me apologise if my previous comment came across as unnecessarily aggressive. Looking over the thread today, it could be read as quite hostile, which wasn't my intent.

My concern here is that in this discussion (and indeed in other recent HN discussions around the GDPR), you have on several occasions relied on your role as a consultant to support statements that various actions weren't necessary because of the GDPR, and to dismiss some of the potential legal arguments/concerns that several of us have raised suggesting otherwise as if they are some sort of legal trickery and EU courts/legal systems would not like them.

I claim no special qualifications in this area. I'm just a guy who is running businesses that might be affected by the new law and wants them to do the right thing, but wants that right thing to be practical and to know that we're on safe legal ground with it. Naturally I also talk to others in a similar position from time to time, and occasionally with consultants or lawyers active in the field, and so I know that many others share similar concerns and are asking the same sorts of questions.

What I'm seeing is that most of the experts are arguing for things like a "risk-based approach", which is the standard CYA consultant/lawyer answer to almost anything where they can't say "We don't actually know either, but you'll probably get away with it if you don't rock the boat". My point is that this is not good enough. The EU and member state authorities have form, as I've written about elsewhere, for introducing overly broad laws with insufficient safeguards and insufficient consideration for small businesses, and for then causing real and sometimes very serious damage to those smaller businesses in practice afterwards.

This is why I'm arguing that the GDPR as it stands is a bad law. This is why I want to see clear, concise, unambiguous answers from authoritative sources on issues around backups, log/journal-based records, and the like. And this is why I'm asking what your own qualifications are and what you know that we don't, given that just a couple of comments up you have casually dismissed concerns that many of us seem to have as being "silly", when those concerns are based on reading what the GDPR actually says and the ambiguity that we're hearing from other experts who don't seem to share your clear view of the subject.

[geocar]

> [I'm just a guy that] wants that right thing to be practical and to know that we're on safe legal ground with it.

Then explain clearly and specifically what thing you want to do that you believe isn't practical. Please say exactly what you want to do that you think is reasonable but that the GDPR says isn't.

- You don't need to destroy invoices. [1] [2]

- You don't need to delete web logs (if you block out the bottom octet of the IP addresses) [3]

- You don't need to delete web logs if you're using them to prevent fraud [4]

- You don't need to delete the record of them asking you to stop using their data [5] [6]

- You don't need to reprocess all of your backups [7] [8]

- You don't have to recall any reports you might have sent out [9]

Those are everything that I labelled as silly with a link to the authority and a supporting opinion if I think that the authority isn't clear.

If you see someone with a contrary opinion, my offer remains to try and refute any specific example.

> What I'm seeing is that most of the experts are arguing for things like a "risk-based approach", which is the standard CYA consultant/lawyer answer to almost anything

The ICO recommends something similar, but it's not just about rocking the boat: If you're not putting people at risk, and you're not pissing anyone off, then you're probably not going to have trouble because an honest examination of your processes isn't going to reveal neglect or recklessness of another kind.

> and for then causing real and sometimes very serious damage to those smaller businesses in practice afterwards.

A citation would be helpful.

I suspect there's a balance: Are we harming a smaller business that was being inappropriate? Putting people's data at risk? What exactly are we talking about?

[1]: https://ico.org.uk/for-organisations/guide-to-the-general-da...

[2]: https://www.planetverify.com/impact-of-the-eu-gdpr-on-accoun...

[3]: https://ico.org.uk/media/for-organisations/documents/1591/pe...

[4]: http://www.privacy-regulation.eu/en/recital-47-GDPR.htm

[5]: https://www.twobirds.com/~/media/pdfs/gdpr-pdfs/34--guide-to...

[6]: http://www.privacy-regulation.eu/en/recital-65-GDPR.htm (note especially you keep the data in order to comply)

[7]: https://community.jisc.ac.uk/blogs/regulatory-developments/a...

[8]: https://ico.org.uk/media/for-organisations/documents/1475/de...

[9]: https://ico.org.uk/for-organisations/guide-to-data-protectio...