[trca]

This is an extremely naive bunch of statements. For side projects where there is only a single developer, it's not a matter of "not caring" but literally not having the time to do these things. Putting an archive system into a service may not be as easy as a DB query. It could be pulling images out of a file storage system, generating thousands of PDF documents or a million other ways data is stored. I hope you can realize that oversimplifying every application to a DB query is just absurd. Add on top of that, now the developer needs to support an entire separate system for pulling data out in addition to whatever the project is meant for. What if this system breaks? Does the developer have to guarantee uptime for this system?

Also, I fail to see how not having time to build an archive system equates to the developer not storing their data securely? That's just an accusation you decided to make which is irrelevant and accusatory.

The point of this post was to show an easy way to ensure you're compliant in 15 lines of code. Building the archive system and associated subsystems will be more than that, without question. Just because you don't like this solution doesn't mean it isn't a solution.

[olliej]

ok, I am going to be nice here:

* how are you structuring data such that it is available to you and your site, without also being able to pull it all out into an archive?

* literally all of my experience has been that securing data is a much harder challenge than any other part of a web facing system.

Also, the thing that everyone seems he’ll bent on ignoring: you do not need an archive mechanism if you do not store data.

And given we’ve known gdpr has been coming for at least a year - aside from companies that tried to bribe it away I guess - new projects should have there data set up so that archiving isn’t a monumentally challenging task.

[mixedCase]

Not the parent poster but:

> how are you structuring data such that it is available to you and your site, without also being able to pull it all out into an archive?

I don't believe the point is that it cannot be pulled into an archive, but that collecting all the data that belongs in such an archive of an specific user (and that user alone) can easily be a very complex task for projects of certain size:available manpower ratio, to the point that showing a query to a relational database with a well defined schema as an example strikes me either as ignorance of the state of real world software development or a gargantuan middle finger.

> literally all of my experience has been that securing data is a much harder challenge than any other part of a web facing system.

Depending on the project that can easily be the case. There's of course the fact that no one can really claim all their stored data is safe from malicious actors, just reasonably secure according to their knowledge and what they're aware their software does; so comparing its difficulty to other things seems overly simplistic.

And sure, there's a lot of things that will be harder than an archival feature regardless of the data storage mess a project may be in, but it does not diminish the work required to implement archival on many of those.

> Also, the thing that everyone seems he’ll bent on ignoring: you do not need an archive mechanism if you do not store data

Congratulations if you happened to store absolutely no PII when building your product. You not only have the luxury of being able to provide any value at all without data, you happened to not store things that a lot of people often don't consider PII but that the GDPR does such as IP addresses.

> And given we’ve known gdpr has been coming for at least a year - aside from companies that tried to bribe it away I guess - new projects should have there data set up so that archiving isn’t a monumentally challenging task.

Can we really pretend with a straight face that the overwhelmingly massive cost of changing legacy software can be handwaved away and that all new projects are developed by people that not only are aware of the GDPR (that's an absurdly minuscule amount of all software developers) but that they are competent enough to fully comply with everything in it? I've worked on HIPAA-compliant software, I've seen people that have been working for years in the industry (both health and software) screwing up and/or making extremely close calls. This is not "escape user input in SQL calls", this is a sizeable piece of regulation without a clear course of action for compliance that will fall on the laps of developers of all skills around the world.