[dorfcakeling]

If your demos required storing or using someone else's personal information, taking them down was the right thing to do (assuming you weren't going to put effort in to become compliant). If they didn't, you panicked and took down potentially valuable data of your own volition.

[ascar]

Just adding a legally correct data protection and privacy policy is often too much of a burden. Even for otherwise fully GDPR compliant websites. Especially as I can not be sure if it is legally correct without consulting a lawyer (that's one of the big pain points for non-profit and private websites).

One of my demos required multiple roles for the service and hence had authorization and authentication build in. I.e. it was storing email addresses (though I happily handed out prepared near full-admin accounts to everyone interested). It was on a subdomain with robots.txt set to disallow, so very little chance someone would find it by accident. Still making this GDPR compliant without consulting a lawyer was too much effort and risk for me.

I'm not even sure without consulting a lawyer, if a fully static pure html website would be DSGVO (the German GDPR) compliant without adding a privacy policy to it. After all I could still be tracking users by HTTP/TCP/cookies and would have to inform the visitor, if I do or don't.

[gcthomas]

The Information Commissioner's Office (the regulatory body in the UK) says:

Who needs to document their processing activities?

There is a limited exemption for small and medium-sized organisations. If you have fewer than 250 employees, you only need to document processing activities that: are not occasional; or could result in a risk to the rights and freedoms of individuals; or involve the processing of special categories of data or criminal conviction and offence data.

GDPR is designed to be easy for small organisations to adhere to. No documentation needed if you have only small, non-sensitive data flows. IANOL, of course.