[itake]

I don't have time to build user exporting, user deletion, user notifications, amongst other required features on top of the already big backlog of fearures to do.

I use third party tools to help worth logging and error tracking.

Its just not worth my time to support gdpr on a website that makes no money.

[matthewmacleod]

“I don’t have time to label and expire all the food I prepare on top of serving meals to customers”

“I don’t have time to do all those structural calculations on top of all the properties I have to build”

“I don’t have time for all this silly human safety testing on top of all the drugs I have to develop”

Your statement is equivalent to the above. If you are unwilling to meet a relatively straightforward level or privacy and security for your users’ data, then personally I’m really glad that you’re going to prevent users from accessing it.

[orand]

Nice ridiculous examples. Now for some ridiculous examples on the other end of the spectrum:

"If you refuse to document every ingredient and possible allergic reaction when inviting friends over for dinner, then I'm really glad if you don't have any friends."

"If you don't create structural and safety calculations for your kids' tree fort, then I'm really glad when your kids fall out."

The point is, people need to be able to start small and then scale up if/when that makes sense. If everything has to start "big" (relatively speaking), then we will simply have fewer things, to the detriment of all.

[matthewmacleod]

Why are those examples ridiculous? They are all, like the GDPR, examples of regulation that says “demonstrate a basic level of care and attention when performing activities which may cause damage to users or customers”.

GDPR provisions are not onerous, are easy to follow, and are what we should expect every company handling personal data to already be doing.

[orand]

The original parent examples were side projects that make no money. So while it seems reasonable to expect this of companies, GDPR also applies to nonprofits, charities, things you create just for your friends, some random thing you put on the internet when you're 15 years old and have no clue about GDPR, etc.

[olliej]

If it makes no money why spend money on storage?

[dageshi]

Storage is cheap. Time is not.

[nils-m-holm]

Ludic drive?

[olliej]

Exactly how hard is it to do

select * from x where user == “whoever”;

Or whatever the syntax is.

Alternatively: why are your personal projects storing that data in the first place? If you’re unwilling/unable to put the time into something as trivial as making an archive I’m assuming you also aren’t putting the time into making your data storage secure. Arguably securely storing data is harder than producing an archive.

Or are you saying that gdpr sucks because it actually requires you to care about user data?

Seriously if you think gdpr is “too hard” just. Do. Not. Store. User. Data.

This is not hard. Arguably it is easier and cheaper than any option, including filtering users.

[trca]

This is an extremely naive bunch of statements. For side projects where there is only a single developer, it's not a matter of "not caring" but literally not having the time to do these things. Putting an archive system into a service may not be as easy as a DB query. It could be pulling images out of a file storage system, generating thousands of PDF documents or a million other ways data is stored. I hope you can realize that oversimplifying every application to a DB query is just absurd. Add on top of that, now the developer needs to support an entire separate system for pulling data out in addition to whatever the project is meant for. What if this system breaks? Does the developer have to guarantee uptime for this system?

Also, I fail to see how not having time to build an archive system equates to the developer not storing their data securely? That's just an accusation you decided to make which is irrelevant and accusatory.

The point of this post was to show an easy way to ensure you're compliant in 15 lines of code. Building the archive system and associated subsystems will be more than that, without question. Just because you don't like this solution doesn't mean it isn't a solution.

[olliej]

ok, I am going to be nice here:

* how are you structuring data such that it is available to you and your site, without also being able to pull it all out into an archive?

* literally all of my experience has been that securing data is a much harder challenge than any other part of a web facing system.

Also, the thing that everyone seems he’ll bent on ignoring: you do not need an archive mechanism if you do not store data.

And given we’ve known gdpr has been coming for at least a year - aside from companies that tried to bribe it away I guess - new projects should have there data set up so that archiving isn’t a monumentally challenging task.

[mixedCase]

Not the parent poster but:

> how are you structuring data such that it is available to you and your site, without also being able to pull it all out into an archive?

I don't believe the point is that it cannot be pulled into an archive, but that collecting all the data that belongs in such an archive of an specific user (and that user alone) can easily be a very complex task for projects of certain size:available manpower ratio, to the point that showing a query to a relational database with a well defined schema as an example strikes me either as ignorance of the state of real world software development or a gargantuan middle finger.

> literally all of my experience has been that securing data is a much harder challenge than any other part of a web facing system.

Depending on the project that can easily be the case. There's of course the fact that no one can really claim all their stored data is safe from malicious actors, just reasonably secure according to their knowledge and what they're aware their software does; so comparing its difficulty to other things seems overly simplistic.

And sure, there's a lot of things that will be harder than an archival feature regardless of the data storage mess a project may be in, but it does not diminish the work required to implement archival on many of those.

> Also, the thing that everyone seems he’ll bent on ignoring: you do not need an archive mechanism if you do not store data

Congratulations if you happened to store absolutely no PII when building your product. You not only have the luxury of being able to provide any value at all without data, you happened to not store things that a lot of people often don't consider PII but that the GDPR does such as IP addresses.

> And given we’ve known gdpr has been coming for at least a year - aside from companies that tried to bribe it away I guess - new projects should have there data set up so that archiving isn’t a monumentally challenging task.

Can we really pretend with a straight face that the overwhelmingly massive cost of changing legacy software can be handwaved away and that all new projects are developed by people that not only are aware of the GDPR (that's an absurdly minuscule amount of all software developers) but that they are competent enough to fully comply with everything in it? I've worked on HIPAA-compliant software, I've seen people that have been working for years in the industry (both health and software) screwing up and/or making extremely close calls. This is not "escape user input in SQL calls", this is a sizeable piece of regulation without a clear course of action for compliance that will fall on the laps of developers of all skills around the world.

[huebnerob]

Yes, but my understanding is that you don't need to automate these features, so you would just do it all manually until your scale starts to make building tools worth it.

[andonisus]

Maybe they don't want to spend time doing it manually...?

[rando444]

This is why I like the GDPR.

If you can't be bothered to care about people's personal information, then maybe you don't need it in the first place.

[huebnerob]

Statistically, we're not talking about a lot of requests here and they're most likely to be deletions which should be trivial.

[fwdpropaganda]

Don't worry, people will build those tools open-source the same way that they've built other tools for other purposes. I'm sure if a Django library for doing all those things doesn't already exist, it will very soon. It will become a popular project too, because at some point it will become the default.

I meant, respecting the law has been a thing for many years, you know? GDPR isn't really different.