[Shebanator]

These kinds of responses are unhelpful. Yes, data protection is incredibly important. That doesn't mean that GDPR as written is a well-done regulation - in point of fact its insanely complicated and its pretty much impossible to know whether or not you comply, even if you store zero data about users. It also doesn't mean that people who don't want to deal with GDPR don't care about privacy. Tarring and feathering someone for such things is lazy and unfair.

[frereubu]

> in point of fact its insanely complicated

I disagree. I'm not sure what you've read about GPDR, but see the link I posted above. If you read the ICO guidance and still think it's insanely complicated, I'm not sure what to suggest because by that yardstick any legal matter is going to be insanely complicated and you'd be saying the same about any legislation. Do you have an example of any legislation that you'd say is better?

[Silhouette]

If you read the ICO guidance and still think it's insanely complicated

Just the scale of the ICO's guidance -- which still primarily covers only general principles without getting much into specific practices and concrete examples -- tells us that this is a complicated issue.

[frereubu]

I didn't mean to imply that it wasn't complicated - any legislation is going to need careful consideration because the wording is paramount. I was objecting more to the rather overheated phrase "insanely complicated," particularly when a counter-example of legislation that isn't "insanely" complicated wasn't given. Insanely complicated compared to what?

[Silhouette]

Insanely complicated compared to what?

I'd suggest that one obvious comparison is with not having the GDPR.

I know my own businesses spent considerable time and money understanding the implications and updating our documentation to comply with the new requirements. However, that was basically all we changed in the end, because we weren't doing anything particularly unusual or dodgy in the first place. In other words, for us, the whole thing was basically an expensive box-ticking exercise with no real benefit to anyone.

I imagine there are many other small businesses that could tell a similar story. The most likely alternative for those that can't is probably that they're not compliant, either deliberately or through ignorance of their new legal obligations, so that still doesn't benefit data subjects in any useful way.

It seems realistic to estimate that several billion pounds has been spent on this sort of paper-pushing exercise in the UK alone, which does suggest some level of rhetorical insanity here if it hasn't really benefited anyone in any measurable way. Perhaps time will tell and regulators will be more effective in curbing the excesses of the big data crunchers that these rules were presumably aimed at, but until we start seeing evidence of real benefits for the average person in the street, I for one will remain sceptical about whether all the extra red tape and complexity was justified.

[frereubu]

> I'd suggest that one obvious comparison is with not having the GDPR.

> Perhaps time will tell and regulators will be more effective in curbing the excesses of the big data crunchers that these rules were presumably aimed at...

Fair points. We've spent a decent amount of time working through GDPR implications for clients, and if nothing concrete comes out of this for the Googles / Facebooks of the world - which may take 5-10 years to judge - I'll be pretty angry too.

> until we start seeing evidence of real benefits for the average person in the street

I think there are already obvious tangible benefits. Our clients now have very clear markers on their websites about what data is going to be used and how. We've persuaded some of them to purge tens of thousands of email addresses from their lists that probably weren't even DPA compliant just because of the threat of GDPR, and I've spoken to non-tech people who feel more in control of data when signing up for things now. Not all organisations are following best practices - bundled consent seems to be pretty common still - but it feels like it's going in the right direction.

[simion314]

>its pretty much impossible to know whether or not you comply, even if you store zero data about users.

Can you explain how you store Zero data but you are not sure? Are you referring at the fact that you include third party code or use third party services?

The fact that the laws are not simple is because they need to define things very specifically to make it impossible for "clever" people to interpret them different then the "spirit oft he law"

[Shebanator]

Servers have logs, which can have a lot of personal data in them. Not all of that logging is under your control, especially if you rely on 3rd party services like AWS. This is a simple example but there are many more.

[RobertKerans]

I get what you're saying here, but if those [for example] logs contain personal information, and those logs are exposed (or have the possibility of being exposed) then that information should be redacted. Sure it's often not trivially simple, but it's your responsibility (AWS seems a wired example to use as well, given that any logging facilities actually provided by them offer redaction).

[scaryclam]

What logs are you thinking of? There are none that I can think of that require a lot of personal data. IP address storage is explicitly covered provided you log them for security etc.

[shados]

an exception stack trace containing the data of a customer object could put in a name by accident, for example. And then you're in trouble. The third parties you use could be storing data, even if they tell you they don't. If they do you need to get a DPA signed up. You might still need a DPO, and so on and so forth. It's a massive undertaking for any org of a reasonable size.

Worth it in the long run, as once we're used to it and tweaks to the law happen to make it easier/better? Sure. Easy? Heck no.

[simion314]

I think this can't happen in the scenario you mentioned of zero personal data stored, since you have a simple webpage , no personal data is stored, then your backend should have no customer objects to handle.

I seen the issue you described where an exception will log all the function parameters but if I am not wrong this logs are configurable so you can check the framework you use about this logs and probably is a good idea to delete old error logs(I know as developers we are busy and don't want to mess with log configs and cronjobs etc but even without GDPR an error log file containing DB data since 2017 is a security risk)

[scaryclam]

This isn't an issue I've come across. I've always put customer IDs in logging data, which is fine according to GDPR. Names, or other PII for that matter, shouldn't be in there, period. Stack traces are actually fine, just make sure you rotate your logs. Error and debugging logs are covered in the GDPR.

Third parties lying to you wont get you in trouble, it'll get them in trouble with the GDPR enforcers, so it's not worth doing that sort of "what if" exercise.

I've worked for organisations of many sizes. Basic data sanitation (aka, don't be daft) is enough. Give the GDPR a read, it's clear enough for almost all cases and isn't nearly as bad as some folks here on HN would have you believe.

[kasey_junk]

Customer ids may or may not be ok. You will get different guidance on that. For instance cookie ids are personal data.

[shados]

Third parties won't get you in trouble as long as you have a DPA, but you need to get it.

Customer IDs are fine as long as they can't be associated with other information anywhere else, but if they can, it's an issue.

Sanitation is easy but someone, somewhere will screw it up when you're not looking.

[Shebanator]

Yes, exactly. Thanks for chiming in.

[M2Ys4U]

So when you said "even if you store zero data about users" you meant "except for when you store data about users.

Okay then...

[allemagne]

Obviously, the number of people who think that GDPR and its rollout has gone perfectly is probably zero.

I think the reason there's so much defensiveness about GDPR is because it is legitimately a rare and valuable victory of data privacy advocates. From that perspective, the smug "just don't do business in the EU" meme might seems like a sentiment that ignores that victory so much that many probably assume it was born out of hostility to data privacy advocacy.

[watwut]

Frankly, I think that GDPR was rolled out quite well. And I think there was way more fear mongering and intentional confusion by the "no regulations should exist ever and all are badly horrible" then actual problems with legislations or its rollout.

I did seen institutions doing unnecessary crazy things or waking up a day before it went valid etc. There is no way this was avoidable entirely and given people trying to lobby against it by essentially lying, all in all it went quite well.

[hennsen]

So the post i replied to was helpful/constructive?

I am not even thinking that GDPR is implemented/written very greatly, and i was fearing too that it will mainly help to put small businesses out of any product category where storing even just an Email address is necessary(eg have an login and want to enable users to restoa forgotten password) while big companies have their lawyers to allow them keep abusing our data on the edge of legal possibilities and not to our favour...

So Im not yet sure if having no GDPR is better or worse than having none... Just, simply saying if you have data protection laws i avoid your market without any detailed reason or proposal how to improve doesn’t bring us forward...

[Shebanator]

That reply was pretty bad as well. But at least he didn't tell someone to shove things up their butt.... :-)

[hennsen]

Not explicitly - nor did I, you know, the sun don’t shine in many places - but implicitly it was saying i should do just that with my privacy expectations and our laws about them.