I don't have time to build user exporting, user deletion, user notifications, amongst other required features on top of the already big backlog of fearures to do.
I use third party tools to help worth logging and error tracking.
Its just not worth my time to support gdpr on a website that makes no money.
“I don’t have time to label and expire all the food I prepare on top of serving meals to customers”
“I don’t have time to do all those structural calculations on top of all the properties I have to build”
“I don’t have time for all this silly human safety testing on top of all the drugs I have to develop”
Your statement is equivalent to the above. If you are unwilling to meet a relatively straightforward level or privacy and security for your users’ data, then personally I’m really glad that you’re going to prevent users from accessing it.
Nice ridiculous examples. Now for some ridiculous examples on the other end of the spectrum:
"If you refuse to document every ingredient and possible allergic reaction when inviting friends over for dinner, then I'm really glad if you don't have any friends."
"If you don't create structural and safety calculations for your kids' tree fort, then I'm really glad when your kids fall out."
The point is, people need to be able to start small and then scale up if/when that makes sense. If everything has to start "big" (relatively speaking), then we will simply have fewer things, to the detriment of all.
Why are those examples ridiculous? They are all, like the GDPR, examples of regulation that says “demonstrate a basic level of care and attention when performing activities which may cause damage to users or customers”.
GDPR provisions are not onerous, are easy to follow, and are what we should expect every company handling personal data to already be doing.
The original parent examples were side projects that make no money. So while it seems reasonable to expect this of companies, GDPR also applies to nonprofits, charities, things you create just for your friends, some random thing you put on the internet when you're 15 years old and have no clue about GDPR, etc.
Alternatively: why are your personal projects storing that data in the first place? If you’re unwilling/unable to put the time into something as trivial as making an archive I’m assuming you also aren’t putting the time into making your data storage secure. Arguably securely storing data is harder than producing an archive.
Or are you saying that gdpr sucks because it actually requires you to care about user data?
Seriously if you think gdpr is “too hard” just. Do. Not. Store. User. Data.
This is not hard. Arguably it is easier and cheaper than any option, including filtering users.
This is an extremely naive bunch of statements. For side projects where there is only a single developer, it's not a matter of "not caring" but literally not having the time to do these things. Putting an archive system into a service may not be as easy as a DB query. It could be pulling images out of a file storage system, generating thousands of PDF documents or a million other ways data is stored. I hope you can realize that oversimplifying every application to a DB query is just absurd. Add on top of that, now the developer needs to support an entire separate system for pulling data out in addition to whatever the project is meant for. What if this system breaks? Does the developer have to guarantee uptime for this system?
Also, I fail to see how not having time to build an archive system equates to the developer not storing their data securely? That's just an accusation you decided to make which is irrelevant and accusatory.
The point of this post was to show an easy way to ensure you're compliant in 15 lines of code. Building the archive system and associated subsystems will be more than that, without question. Just because you don't like this solution doesn't mean it isn't a solution.
* how are you structuring data such that it is available to you and your site, without also being able to pull it all out into an archive?
* literally all of my experience has been that securing data is a much harder challenge than any other part of a web facing system.
Also, the thing that everyone seems he’ll bent on ignoring: you do not need an archive mechanism if you do not store data.
And given we’ve known gdpr has been coming for at least a year - aside from companies that tried to bribe it away I guess - new projects should have there data set up so that archiving isn’t a monumentally challenging task.
> how are you structuring data such that it is available to you and your site, without also being able to pull it all out into an archive?
I don't believe the point is that it cannot be pulled into an archive, but that collecting all the data that belongs in such an archive of an specific user (and that user alone) can easily be a very complex task for projects of certain size:available manpower ratio, to the point that showing a query to a relational database with a well defined schema as an example strikes me either as ignorance of the state of real world software development or a gargantuan middle finger.
> literally all of my experience has been that securing data is a much harder challenge than any other part of a web facing system.
Depending on the project that can easily be the case. There's of course the fact that no one can really claim all their stored data is safe from malicious actors, just reasonably secure according to their knowledge and what they're aware their software does; so comparing its difficulty to other things seems overly simplistic.
And sure, there's a lot of things that will be harder than an archival feature regardless of the data storage mess a project may be in, but it does not diminish the work required to implement archival on many of those.
> Also, the thing that everyone seems he’ll bent on ignoring: you do not need an archive mechanism if you do not store data
Congratulations if you happened to store absolutely no PII when building your product. You not only have the luxury of being able to provide any value at all without data, you happened to not store things that a lot of people often don't consider PII but that the GDPR does such as IP addresses.
> And given we’ve known gdpr has been coming for at least a year - aside from companies that tried to bribe it away I guess - new projects should have there data set up so that archiving isn’t a monumentally challenging task.
Can we really pretend with a straight face that the overwhelmingly massive cost of changing legacy software can be handwaved away and that all new projects are developed by people that not only are aware of the GDPR (that's an absurdly minuscule amount of all software developers) but that they are competent enough to fully comply with everything in it? I've worked on HIPAA-compliant software, I've seen people that have been working for years in the industry (both health and software) screwing up and/or making extremely close calls. This is not "escape user input in SQL calls", this is a sizeable piece of regulation without a clear course of action for compliance that will fall on the laps of developers of all skills around the world.
Yes, but my understanding is that you don't need to automate these features, so you would just do it all manually until your scale starts to make building tools worth it.
Don't worry, people will build those tools open-source the same way that they've built other tools for other purposes. I'm sure if a Django library for doing all those things doesn't already exist, it will very soon. It will become a popular project too, because at some point it will become the default.
I meant, respecting the law has been a thing for many years, you know? GDPR isn't really different.
My reading of the GDPR says that the MINIMUM fine is 20,000,000 Euros, which I think would be a pretty big problem for an individual working on a side project.
I also think the 403 error page explaining that the GDPR is the reason the visitor can't access the page is a nice touch.
> My reading of the GDPR says that the MINIMUM fine is 20,000,000 Euros.
€20M is the minimum value for the upper limit of an Article 83(5) or Article 83(6) administrative fine; it's not a minimum fine, and a lesser value (€10M) applies as the corresponding base upper limit for some other violations.
You’re misreading the fine is in the range 0..max(20 million, .04*revenue).
Basically if you’re a small business your maximum fine is likely 20 million, if you’re a large one it’s 4% of your global revenue. The global revenue is needed because companies are perfectly happy moving their money around to minimize the amount of money they make in places that will fine and tax them. They’re also super good at manufacturing reasons that profit does not actually get recorded as profit. Also it’s generally accepted that fines and settlements are an expense, so you’d get a situation where ome fine would effectively discount another.
It's only a problem if you are fined, and actually pay it.
The odds of an individual, unknown, low traffic side project facing these problems are effectively zero. Go play the lottery.
I use third party tools to help worth logging and error tracking.
Its just not worth my time to support gdpr on a website that makes no money.