[shados]

an exception stack trace containing the data of a customer object could put in a name by accident, for example. And then you're in trouble. The third parties you use could be storing data, even if they tell you they don't. If they do you need to get a DPA signed up. You might still need a DPO, and so on and so forth. It's a massive undertaking for any org of a reasonable size.

Worth it in the long run, as once we're used to it and tweaks to the law happen to make it easier/better? Sure. Easy? Heck no.

[simion314]

I think this can't happen in the scenario you mentioned of zero personal data stored, since you have a simple webpage , no personal data is stored, then your backend should have no customer objects to handle.

I seen the issue you described where an exception will log all the function parameters but if I am not wrong this logs are configurable so you can check the framework you use about this logs and probably is a good idea to delete old error logs(I know as developers we are busy and don't want to mess with log configs and cronjobs etc but even without GDPR an error log file containing DB data since 2017 is a security risk)

[scaryclam]

This isn't an issue I've come across. I've always put customer IDs in logging data, which is fine according to GDPR. Names, or other PII for that matter, shouldn't be in there, period. Stack traces are actually fine, just make sure you rotate your logs. Error and debugging logs are covered in the GDPR.

Third parties lying to you wont get you in trouble, it'll get them in trouble with the GDPR enforcers, so it's not worth doing that sort of "what if" exercise.

I've worked for organisations of many sizes. Basic data sanitation (aka, don't be daft) is enough. Give the GDPR a read, it's clear enough for almost all cases and isn't nearly as bad as some folks here on HN would have you believe.

[kasey_junk]

Customer ids may or may not be ok. You will get different guidance on that. For instance cookie ids are personal data.

[shados]

Third parties won't get you in trouble as long as you have a DPA, but you need to get it.

Customer IDs are fine as long as they can't be associated with other information anywhere else, but if they can, it's an issue.

Sanitation is easy but someone, somewhere will screw it up when you're not looking.

[Shebanator]

Yes, exactly. Thanks for chiming in.