[jimktrains2]

"few". Handling customers individually in terms of logs and database backups, for instance, is not a small undertaking. Deleting all traces of a customer is neigh impossible; I bet even "compliant" places don't do it right.

The pci DSS has nothing in it like the gdpr; I'm not even sure why you would compare them.and it makes me think you know nothing about either.

[hrktb]

It depends how you do it. For me dealing with PCI DSS compliance was mainly to get rid of unwanted traces in the logs and anything permanent (backed up), and separating services dealing with sensible information.

While doing these changes, there will usualy be a rethinking of how user data is handled at its core. For instance I worked in the past on dissociating user account with it’s profile and private info, so we could get rid of personal info and only keep behaviors.

With GDPR you get similar leeway for keeping most of your data as long as you get rid of identifying info in a reasonable manner. If I’m not mistaken backups are also safe up to a point, but I don’t have the details at hand.

My main point was that if someone had the occasion to think thoroughly about user data policy and cleaning unwanted traces at leadt once in the past, GDPR was a lot easier than one might think at first.