| I think very few people here are trolling. I'm certainly not. And I think it's unkind to attribute malice to those who are confused or merely disagree. > We just assume most people will be decent/"reasonable" in implementing it, and if not, there's the sanctions. My definition of "reasonable" isn't the same as that of European regulators. I know this because I don't consider IP Address to be PII. Luckily for me on this particular point the GDPR is explicit in saying that it is. If I were left to define PII myself though, I could well have opened myself to regulatory action as IP Addresses were logged and shared incidentally with third parties in many places. I think this style of writing laws gives way, way too much power to regulators. Particularly for companies with no physical EU presence and thus no way to vote or have any say in how the regulators work. I think very few online businesses will be fully 100% compliant with every provision of the GDPR and all it's current and future interpretations. So we need to just hope and trust that all the regulators in all the Union countries won't punish anyone who doesn't really deserve it. That's not a good situation. > So what's the minimum period you absolutely need that data/those logs/those backups for? There is no answer to this question. Strictly speaking I don't need any backups or logs. I've also, rarely, encountered subtle data corruption bugs in the wild where having backups that go back months was critical and the more the better. |