| Meanwhile, I don't know of any Europeans who don't support it (on an individual level) or who finds it confusing. Hi, I'm a European who doesn't support it and who does find it confusing. To be more precise, while I'm generally in favour of better privacy protections in law, I don't support this poorly implemented attempt, because I think it will have all sorts of unintended consequences that may not be in individuals' best interests, while also imposing a disproportionate burden on controllers and processors who weren't abusing that data for unsavoury purposes anyway, particularly smaller organisations. And maybe "confusing" isn't quite the right word, but in my view it's far too ambiguous in its treatment of some of the most fundamental issues to provide a good platform for future data protection. Much of the official guidance is confusing, often to the point of being misleading and counterproductive, however. we've had similar provisions in EU countries for a while, so it's not a big deal. All regulation is a big deal if you're running a microbusiness and don't have dedicated staff to deal with it. In any case, there are several new or significantly extended rights introduced by the GDPR that certainly weren't there before in my country (the UK). So what's the minimum period you absolutely need that data/those logs/those backups for? Given that things like access history/event logs are important for things like protecting ourselves against potential legal actions, disputed charges and the like, there is no possible way to give an intelligent answer to that. I can, however, state as fact that we have had to rely on detailed log records from several years ago when threatened with actual action by someone who was clearly trying to take advantage of the situation and hadn't expected us to still have evidence that undermined their claims, so any claim that we can just cycle these things out after a few days is demonstrably false. Given that we're not doing anything particularly unusual either legally or in processing data for everyday business purposes, I have to assume we are far from alone in having these experiences and the concerns they raise. There's no one-size-fits-all approach, so the law isn't written like that. While that may be true, it is entirely useless to someone well-intentioned and acting in good faith who is trying to work out what they actually have to do to comply with the new regulations. |
Not for much longer :D But seriously, the British government and the various police forces don't have a great track record with regards to privacy (e.g. Investigatory Powers Act), so it's no wonder the ICO is underfunded and has had a very limited mandate.
> Given that things like access history/event logs are important for things like protecting ourselves against potential legal actions, disputed charges and the like, there is no possible way to give an intelligent answer to that.
Audit logs are an interesting example for sure. But that's a bit vague. Maybe somebody somewhere will sue us! Sounds like you need a lawyer regardless, and a competent lawyer should be able to identify a lawful basis with such strong documentation.
The GDPR is maybe a bit heavy-handed compared to a gradual approach, because EU countries have previously had a hard time getting companies to comply with their data protection laws.