[hywel]

It seems like more research into GDPR could have prevented this.

Firstly, there's nothing this site does that is so unusual. If the user gives explicit and informed consent for their data to be used in this way, then you are likely to be covered.

Secondly, it's looking unlikely that the rules will be enforced that strictly in the near term, especially against a small, hobby website. IANAL but you likely have a couple of years until you have any chance of being on the ICO's radar (ICO is the UK's enforcer). And even then, you can reasonably expect the find to be << €4M.

Thirdly, if you run this site from a limited company (about £100/year to maintain), then the very worst case would be that you are investigated under the GDPR in the future, and you can fold the site then at which point your liability ends. No need to do it now, in fear of something that may never happen.

I hope it's not too late to change your mind about shutting down!

[HenryBemis]

I am currently working in one of this multi-$bn companies. They run/are preparing GDPR.

So far I haven't found ANY person who has read the full 80 pages. Everyone is asking eveyrone else, they download whatever presentations they find on the internet, but NOT ONE have bothered reading the damn thing.

It will be a massacre for many companies, only because very few do their homework.

[closeparen]

Having engineers read and interpret regulation personally is not a remotely sane legal risk management strategy. Read the thing on your own time if you're curious, but the engineering work should start with specialized outside counsel/consultants and percolate down to engineers as company policy via the CTO.

You're onto something, though: in a corporate environment, the word "compliance" is a magic spell that disables all critical thinking skills within earshot.

[civilitty]

> You're onto something, though: in a corporate environment, the word "compliance" is a magic spell that disables all critical thinking skills within earshot.

Is that a bad thing? The vast majority of regulations exist because someone's "critical thinking" went too far in the name of profit.

[closeparen]

>The vast majority of regulations

Your mistake is assuming that the idea being sold internally under the heading "compliance" is required by, or even tangentially related to, an actual regulation.

[mikekchar]

I have a theory about this. It's a kind of intentional incompetence. You won't get praised in an organisation for implementing GDPR because it is seen as a cost. In some cases it is even restricting revenue (or at least making it more difficult). By only having a surface understanding of the issue, you can intentionally misunderstand it while later having a plausible excuse. When/if you have a big lawsuit directed at you, you can blame the summary websites, consultants, etc for being insufficient. Indeed, you can blame the GDPR for be "too complicated". "Even the experts got it wrong".

But if you read the law, claim to understand it and don't implement it properly, you are screwed. It's just another case where savy managers are avoiding personal risk at the expense of corporate risk.

[dboreham]

I'm going to add this syndrome to my growing list of "odd psychology in the software business" articles to write some day.

[return1]

the damn thing is more abstract than poetry. it s indicative that all these months, i have not seen a single article / presentation that provides a concrete example of how to shield a website.

[mikekchar]

The law is completely readable by non-lawyers, IMHO. It's one of the better written laws I've seen. But here's a website by the UK government that explains what all the terms mean and exactly what you have to do: https://ico.org.uk/for-organisations/guide-to-the-general-da...

[closeparen]

There are 28 member states. Under some circumstances, a company headquartered in the EU can have the headquarters country's authority act as its "one stop shop." But it would be a mistake for a foreign website to rely on the opinions of 1/28th of the agencies that might prosecute it.

[lixtra]

There is a missunderstanding on your part. The law is not what’s written but what the courts make out of it. Lawyers may have the experience to foretell that.

On the other hand I bet you have a better life with your belief until - if ever- you learn the difference the hard way.

Take the simple question: can you look at personal data on your monitor? What about Van Eck phreaking? Basically you are broadcasting the data. Do you need to protect against that?

Tell me what GDPR says about that.

[pilsetnieks]

The GDPR says that at the current state of technology it would take an undue effort to infringe someone's privacy in such a way, so the risk is unreasonable.

It's like worrying that someone will be struck by lightning because they're located on your property near an antenna you set up, and you'll be charged with murder because of that. Yes, it's possible, and about equally as likely.

[mikekchar]

It's worth noting, as well, that this part of the law hasn't changed at all. The changes to GDPR are about notification and a variety of rights. Protection for leaking data to unknown 3rd parties is exactly the same as it was.

[lixtra]

If using a 30 year old attack costing a few hundred bucks is considered undue effort then we are all save.

[1] https://en.m.wikipedia.org/wiki/Van_Eck_phreaking#LCDs

I would estimate the frequency of the attack similar to Lightnings killing people. I’m quite sure it happens but only in very small scale because you have to get so close to the victim.

[sturgill]

"...then you are likely covered." "it's looking unlikely..." "...run this site from a limited company..."

I can understand why a small project that isn't immediately profitable can take a look at the uncertainty and say, "no thanks."

[ryanlol]

If such uncertainty is really an issue, how do you cope with society in general?

[sturgill]

If you're a big multinational, these uncertainties are a cost of doing business. You have a dedicated team of in-house attorneys and many other high priced lawyers on retainer. If the worst happens, you start private negotiations on settlements. When I worked for a firm owned by a very large multinational, our parent company basically had an IRS auditor with a dedicated office inside of the parent's headquarters. But you can absorb that cost across multiple entities.

Within society "in general" there are usually other forms for quantifying, and spreading, the cost of uncertainty among larger groups. We usually call those markets "insurance." Car insurance, life insurance, health insurance, disability insurance, homeowners insurance, landlord insurance... all of it exists to "cope" with uncertainty.

If you're running a small operation that's hovering at or below breakeven, it's reasonable to look at the existing uncertainty surrounding GDPR and find that the only winning move is to not play.

I'm not a FUD guy; I'm a numbers guy. Uncertainty is real and entire markets exist to deal with them. Where there are _not_ markets that allow you to quantify uncertainty, it is reasonable to look at the potential downside and say, "that's not worth the risk."

I'd be very hard pressed to run a business that catered to the EU at this point until the first N lawsuits happen. There's a reason why in the US people prefer to incorporate in Delaware: it's not because it's the most business friendly state, it's because there is so little uncertainty in case law.

I am making no claims as to whether GDPR is a good thing or a bad thing. Simply that it's an unknown thing. And unless you have the pockets to play in unchartered legal territory, it is perfectly reasonable to shake one's head and walk away.

[x0x0]

Unfortunately for you, the ICO was directly asked about this and responded that they do not envision a grace period

> Steve Wood, ICO Deputy Commissioner: Will there be a grace period? No. You will not hear talk of grace periods from people at the ICO. That's not part of our regulatory strategy.

[tscs37]

The grace period for the GDPR started in 2016 when it was adopted. Everyone had over 2 years to read and implement the GDPR.

All those concerns about the GDPR are, as far as I can tell, younger than a year, most of them even younger than a few months.

You had two years grace period.

[hywel]

The ICO has a tiny staff and is already underfunded. The grace period is a pragmatic one not one enshrined in law!

[x0x0]

Except the lazy morons running the privacy orgs couldn't be arsed to give us final guidance until, well, mid April. And that definitely includes the ICO. I mean, I understand it's a lot to expect to have final guidance on running a balancing test more than a month before the deadline, but I guess grace periods are just for the regulators.

[lagadu]

GDPR was written in 2012, as an update of a 1995 law; it entered into effect in 2016 with a grace period lasting until this year.

If 6 years wasn't a long enough period for companies to prepare I submit that no amount of time would ever be.

[thwarted]

I wish we could say this about IPv6 too.