[matthewmacleod]

It's not too tricky, fortunately!

1. Stop collecting any data you don't need. If you don't collect it, it's not an issue!

2. Have a way for users to access their data or request it be deleted. This can be a manual process.

3. Make sure you gain explicit consent for any data you capture from users, and explain why you are using it.

4. Make sure any data you capture is stored securely using industry best practices.

5. Put a retention policy in place for backups and logs – for example, delete them after 30 days.

That's basically it. It's more complex if you have a product that needs to store lots of data to function, or if you have a sprawling set of databases, or if you have some kind of un-deletable storage. But in general, you only need to do the sort of things that you should really already be doing if you use personal data.

And bear in mind that the goal of GDPR is not to fleece companies for fines, but to achieve compliance with the rules. If you do something wrong but act in good faith, you can expect a letter from whichever SA is coming after you. But you're not going to see a €20m fine any time soon.

[dangrossman]

> Stop collecting any data you don't need. If you don't collect it, it's not an issue!

That's trickier than it sounds.

If you embed a copy of jQuery on your page hosted by a CDN, you're collecting and sending personal data to the CDN. Do you have consent for that?

Same with web fonts, icon fonts, javascript libraries, social media follow/share buttons, analytics tags, etc you embed in the tags.

Every time your page is loaded, you're sending personal data to all those third parties, most of them not even located in the EU, which means you're sharing with a third party and doing a cross-border transfer.

You need more than just consent to do that, they're sub-processors for you, and you likely need signed Data Processing Addendums with each of those companies, and they need to have adequate protections for cross-border data transfers, like participation in the EU-US Privacy Shield Framework. Have you signed those agreements?

You can easily be sharing more data than you meant to, too. Let's say you send a newsletter for your website and you host a copy of phpList or similar software to manage and send it. In each mail you send out, you include an unsubscribe link, which has the address to unsubscribe embedded in the link.

When someone clicks that link, their email address will be part of the HTTP referrer header sent to all those third party scripts on your page. Now you're transferring email addresses to a half dozen third parties with no legitimate business reason to do so. Do you have consent to do that?

[spiralx]

> If you embed a copy of jQuery on your page hosted by a CDN, you're collecting and sending personal data to the CDN. Do you have consent for that?

You're not collecting anything there, so it's nothing to do with the GDPR - it might impact the CDN, but it's unlikely without them tying your IP to other personally identifying information. Analytics would be, because that's personal data you are collecting, so you'd need to ask permission for that.