Hacker News new | ask | show | jobs
by guitarbill 2974 days ago
> Hi, I'm a European [...] (the UK)

Not for much longer :D But seriously, the British government and the various police forces don't have a great track record with regards to privacy (e.g. Investigatory Powers Act), so it's no wonder the ICO is underfunded and has had a very limited mandate.

> Given that things like access history/event logs are important for things like protecting ourselves against potential legal actions, disputed charges and the like, there is no possible way to give an intelligent answer to that.

Audit logs are an interesting example for sure. But that's a bit vague. Maybe somebody somewhere will sue us! Sounds like you need a lawyer regardless, and a competent lawyer should be able to identify a lawful basis with such strong documentation.

The GDPR is maybe a bit heavy-handed compared to a gradual approach, because EU countries have previously had a hard time getting companies to comply with their data protection laws.
1 comments
Silhouette 2974 days ago
the British government and the various police forces don't have a great track record with regards to privacy (e.g. Investigatory Powers Act)

I'd be the first to agree, and I'm generally in favour of stronger privacy protections in law, particularly around government behaviour. But of course governments get a pass on many things that are otherwise restricted anyway, because they just have to whisper the magic words (usually something like "national security") and the carefully written exemptions in almost every piece of privacy and data protection legislation ever written are activated.

Audit logs are an interesting example for sure. But that's a bit vague. Maybe somebody somewhere will sue us!

That's the problem, though, isn't it? These needs are vague and you can't predict when they will arise. Nevertheless, they do happen. In fact, the example I mentioned before happened just this week.

Sounds like you need a lawyer regardless, and a competent lawyer should be able to identify a lawful basis with such strong documentation.

In my experience, having spoken now to several different people who are consulting on the GDPR including some who are lawyers, even they don't know the answers here. They have no crystal ball, and the language is so open to interpretation, and the regulators are so late at providing any guidance, and what guidance they have provided is often so poor that no-one really knows how this is going to play out yet. This of course creates uncertainty that is damaging in itself.

link