Hacker News new | ask | show | jobs
by geocar 2942 days ago
> Additionally any malevolent user (as is shown in this case) is incentivized to send a GDPR data access request while this is not true for DMCA.

People send fake DCMA takedowns all the time.

If someone sends you a GDPR data request, you can ask for administrative costs. You can even ask it to be mailed to you via post. If someone sends you a bogus and unreasonable GDPR data request, you can ask them to pay you a further reasonable fee.

This can almost be an auto-response. Trolls will get bored.

> Work required for complying with a data access request: Search every single service you potentially could have stored user data in and provide it to the user. A non basic feature that requires custom development.

This is not true. Recital 62[1] says you don't have to give them any data they already have, and Recital 57[2] says you aren't obliged to determine which of your data identifies them if you aren't going to do it anyway.

[1]: http://www.privacy-regulation.eu/en/recital-62-GDPR.htm

[2]: http://www.privacy-regulation.eu/en/recital-57-GDPR.htm

> I agree however that they are both horrible laws.

I like the GDPR a great deal, and I think it'll be good for companies big and small in the long run. Disclaimer though: I'm doing some GDPR consulting, so you might prefer to think I'm getting paid to like the GDPR.

The scary bit seems to be for companies that approach compliance from the point-of-view of centralising understanding, and minimising the impact and costs of that compliance. They're looking for someone to tell them "this is enough effort", but the point is that Europeans don't want people playing chicken with their data[3].

As soon as companies realise that embracing the spirit of the GDPR is cheaper, it starts becoming a real opportunity for them.

[3]: https://www.sec.gov/Archives/edgar/data/33185/00011931251815...
1 comments
sameyolo 2941 days ago
I felt the regulation text itself was clear that the first request is free.

"1 - The controller shall provide a copy of the personal data undergoing processing. 2- For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs."

https://gdpr-info.eu/art-15-gdpr/

link
geocar 2941 days ago
The ICO says that the fee must be based on the administrative cost of providing the information which seems consistent.

Since you're allowed to respond to the first request with a list of the types of information you control, you should be able to do this without a search (and without undue costs).

link