[ascar]

It's not just small businesses. The serious effort to fullfil this legislation and the constant threat that you still don't is simply too much for small non-profit organizations and personal websites. A lot of one person blogs that are inactive but a valueable source of information have been taken down because of that.

I also stopped hosting demos of my side-projects (just for github or cv links), because following this law for this kind of service is just unreasonable. And I do not even have to cause any kind of harm to be fineable in Germany.

[dorfcakeling]

If your demos required storing or using someone else's personal information, taking them down was the right thing to do (assuming you weren't going to put effort in to become compliant). If they didn't, you panicked and took down potentially valuable data of your own volition.

[ascar]

Just adding a legally correct data protection and privacy policy is often too much of a burden. Even for otherwise fully GDPR compliant websites. Especially as I can not be sure if it is legally correct without consulting a lawyer (that's one of the big pain points for non-profit and private websites).

One of my demos required multiple roles for the service and hence had authorization and authentication build in. I.e. it was storing email addresses (though I happily handed out prepared near full-admin accounts to everyone interested). It was on a subdomain with robots.txt set to disallow, so very little chance someone would find it by accident. Still making this GDPR compliant without consulting a lawyer was too much effort and risk for me.

I'm not even sure without consulting a lawyer, if a fully static pure html website would be DSGVO (the German GDPR) compliant without adding a privacy policy to it. After all I could still be tracking users by HTTP/TCP/cookies and would have to inform the visitor, if I do or don't.

[gcthomas]

The Information Commissioner's Office (the regulatory body in the UK) says:

Who needs to document their processing activities?

There is a limited exemption for small and medium-sized organisations. If you have fewer than 250 employees, you only need to document processing activities that: are not occasional; or could result in a risk to the rights and freedoms of individuals; or involve the processing of special categories of data or criminal conviction and offence data.

GDPR is designed to be easy for small organisations to adhere to. No documentation needed if you have only small, non-sensitive data flows. IANOL, of course.

[jackhack]

And, just like that, the tech world suddenly understands the stifling burden of overregulation that affects nearly every other industry.

[moosey]

Just as the world learns the horrible reality of practically criminal underregulation that the tech world has been operating under.

[dvfjsdhgfv]

Well, it depends. If you only enable access to the demo without storing any personal information, there is no prblem whatsoever.

If, in order to access the demo, you need to give your e-mail address, and you are harvesting e-mail addresses in this way, you need to inform the users you are doing so, and provide a separate unchecked box "Subscribe to the Newsletter". In this way you are honest with the users, with how you are using their data, and you stick to the letter and the spirit of the law.