[DanBC]

> Also, are you seriously suggesting that in response to a formal legal communication it's a good idea to reply without having input from a lawyer?

You don't need a lawyer to reply to GDPR letters. You do need to comply with the law when you collect personal data. What you're saying is "I should be free to ignore the law until someone writes to ask about my compliance, and when they do it's burdensome for me to get legal advice to respond to that letter".

[Silhouette]

I'm saying no such thing, and it's neither courteous nor constructive to twist words like that.

You keep asserting that it's not necessarily to have a lawyer review a letter, despite the letter being legal in nature and in this case clearly coming from someone who is looking to cause trouble. Clearly you and I have very different attitudes to risk in this respect.

In any case, an obligation to comply with the law is self-evident. My objection is that the law itself is poorly implemented and that what is necessary to comply is ambiguous.

[DanBC]

Everything you do with customers is legal in nature - what do you think governs your relationship if it's not legislation?

Your repeated scare mongering around GDPR is fucking tedious, especially since almost everything you've said about it is false.

[Silhouette]

Everything you do with customers is legal in nature

But most interactions with my customers do not begin with a multi-page letter that literally opens with a direct threat and then proceeds to demand a response on 40 different points.

Your repeated scare mongering around GDPR is fucking tedious

I run small businesses, and we have been dealing with GDPR issues. The ambiguity and overheads I have been talking about in this discussion are costing us time and money right now. Dealing with a letter like they one we're discussing would cost us more time and money. Apparently we aren't alone in these respects.

Some of the GDPR's supporters have argued that the lack of proportionality in the actual regulations is not a problem because the regulators will enforce it pragmatically. I have personally heard such arguments made about onerous EU rules before, and through my own businesses I have been on the receiving end of government mistakes and their rather unpleasant consequences. And again, that wasn't some freak unlucky event: thousands of other businesses are known to have been subject to similar problems, in more than one incident, involving more than one government authority.

A few people have suggested that involving lawyers in response to a letter like this is unnecessary. Clearly it's going to be a matter of risk assessment, but I don't think it's unreasonable. Once again, I have personally seen (at a former employer in this case) how much time can be wasted if a company gets caught up in formal legal proceedings even having done nothing wrong.

In short, there are people out there dealing with the issues you call "scare mongering" every day. These are not just hypothetical problems. Maybe you've never been caught up in them yourself, but sadly not everyone is that lucky.

especially since almost everything you've said about it is false.

If you're going to call me a liar, please at least tell me what I've written anywhere in this discussion that was false so I can set the record straight.

[tonfa]

Aren't those letters already pretty standard anyway? I was sending those to various places > 10 years ago using the existing privacy/data protection laws in the country I was a resident in.

(you get fun stuff back, I got all the logs from my public transit card that way)

[orangecat]

You don't need a lawyer when you talk to the police, you just need to not break the law.

[DanBC]

Well yes, if you've built a business around illegally using personal data you may need to get a lawyer involved.

It would be better to get the lawyer involved when you start your business so you know you're complying with the law.

And almost everything in GDPR comes from existing laws (IN UK the data protection act and PECR), so if your breaking the law under GDPR you're probably breaking the laws that exist now too.