| > [I'm just a guy that] wants that right thing to be practical and to know that we're on safe legal ground with it. Then explain clearly and specifically what thing you want to do that you believe isn't practical. Please say exactly what you want to do that you think is reasonable but that the GDPR says isn't. - You don't need to destroy invoices. [1] [2] - You don't need to delete web logs (if you block out the bottom octet of the IP addresses) [3] - You don't need to delete web logs if you're using them to prevent fraud [4] - You don't need to delete the record of them asking you to stop using their data [5] [6] - You don't need to reprocess all of your backups [7] [8] - You don't have to recall any reports you might have sent out [9] Those are everything that I labelled as silly with a link to the authority and a supporting opinion if I think that the authority isn't clear. If you see someone with a contrary opinion, my offer remains to try and refute any specific example. > What I'm seeing is that most of the experts are arguing for things like a "risk-based approach", which is the standard CYA consultant/lawyer answer to almost anything The ICO recommends something similar, but it's not just about rocking the boat: If you're not putting people at risk, and you're not pissing anyone off, then you're probably not going to have trouble because an honest examination of your processes isn't going to reveal neglect or recklessness of another kind. > and for then causing real and sometimes very serious damage to those smaller businesses in practice afterwards. A citation would be helpful. I suspect there's a balance: Are we harming a smaller business that was being inappropriate? Putting people's data at risk? What exactly are we talking about? [1]: https://ico.org.uk/for-organisations/guide-to-the-general-da... [2]: https://www.planetverify.com/impact-of-the-eu-gdpr-on-accoun... [3]: https://ico.org.uk/media/for-organisations/documents/1591/pe... [4]: http://www.privacy-regulation.eu/en/recital-47-GDPR.htm [5]: https://www.twobirds.com/~/media/pdfs/gdpr-pdfs/34--guide-to... [6]: http://www.privacy-regulation.eu/en/recital-65-GDPR.htm (note especially you keep the data in order to comply) [7]: https://community.jisc.ac.uk/blogs/regulatory-developments/a... [8]: https://ico.org.uk/media/for-organisations/documents/1475/de... [9]: https://ico.org.uk/for-organisations/guide-to-data-protectio... |