[pas]

First of all, GDPR does not apply to personal sites. ( https://law.stackexchange.com/a/28086 - see current "in force" version of the directive: https://eur-lex.europa.eu/eli/reg/2016/679/oj see recital 18)

> [...] GDPR sets a minimum amount of cost/effort to run a website [...]

This is simply false. If you want to post something on the 'net, nothing changes. You want to count page downloads? (You know those old school CGI counters.) Nothing changes. You want to know how many individual visits you got? Well, you need to try to distinguish between new and returning visitors, hence you might put a cookie on the visitor's browser/client/useragent, now you need to ask nicely, because it's eerily easy to use that cookie for a lot of other purposes. (Similarly if you would try to use something else, like IP address, and/or browser fingerprinting.)

And so on. Yes, I like pretty graphs about visitors (browser screen size distribution, fancy geoip charts, etc), but so do the people that live off the not so innocent usage of this kind of data.

And yes, if you collect personal data, then you should be able to protect it. This was always the case, GDPR simply states this and tries to create a mechanism that forces data holders to act accordingly (via the mandatory data breach reporting). Again, similarly, if you handle a lot of data you should be able to accurately take a stock of what kind of data you have about whom, hence the requirement to respond to these inquiries.

> I think it disproportionately impacts smaller sites.

Agreed. But small sites were always at the mercy of random script kiddies. They always lacked resources to properly handle updates/upgrades, security, data, end-of-life termination, etc.

GDPR at least makes WordPress, discourse, and random blog and forum engines able to deal with the reality of how much value their databases represent nowadays.

[samdunham]

I'd say that medium sized sites are more troublesome in that regard. Once a site has grown big enough to become cumbersome for one person to manage, but not large enough for most to justify staff, then you have an issue. There shouldn't be any excuse for a small site to fall behind with updates, etc... It's simple.

[pas]

Absolutely. This is the typical problem of small-medium sized shops everywhere around the world. If you're just a really small one-man army, big companies don't really care. If you are getting bigger, suddenly you will find competition and a lot of regulatory burden. (Most startups usually fail at this point as far as I know.)

[marcinzm]

>First of all, GDPR does not apply to personal sites

No, as I read it excludes sites that do not engage in economic or professional activity. It is specific about what personal means and it's definition is not necessarily the colloquial definition of personal.

So, as a layman, by my reading getting donations makes your site covered, running ads make it covered, allowing people to sell things makes it covered, people connecting for jobs makes it covered, using it as advertising for your professional career (ie: blog post that says you're looking for a job) makes it covered, etc.

Or maybe it doesn't cover those but then I'd need (and thus need to pay) a lawyer to know wouldn't I? Layers aren't cheap compared to the cost of modern web hosting.

[Mirioron]

>First of all, GDPR does not apply to personal sites.

And next to no websites actually fall under this exemption. Furthermore, simply to know that your website falls under this exemption comes with the cost. You must know that your website falls under this exemption, requiring you to know GDPR and/or requiring a lawyer to look it over (high cost).

>This is simply false. If you want to post something on the 'net, nothing changes.

Simply having to know what GDPR is, what it covers, and whether you fall under it has a cost. So the statement that nothing changes is patently false.

Also, I'm pretty sure that by default most software that serves websites would already put you under GDPR, because it collects IP addresses and they're considered personal data.

>Agreed. But small sites were always at the mercy of random script kiddies. They always lacked resources to properly handle updates/upgrades, security, data, end-of-life termination, etc.

So, because there were other limiting factors for them we might as well make it illegal to run such websites? I guess I can understand why the EU's tech sector is doing so poorly.

>Again, similarly, if you handle a lot of data you should be able to accurately take a stock of what kind of data you have about whom, hence the requirement to respond to these inquiries.

But it's not about that. It's "if you handle any data then you must constantly be available to tell users what data you have about them". This, ironically, puts people's data at risk, because suddenly you forced website owners to reply to phishing requests. What's the chance that every single website owner everywhere never gives out personal data to the wrong person? I would say that that chance is effectively zero.

[pas]

Of course, just as with any piece of regulation, some might affect you without you ever knowing it.

Furthermore, you seem to be mixing things up with outright falsehoods. If you are a user, and you want to use a service that provides publishing, let's say tumblr/medium, you don't have to worry anything. If you are a - let's say - power user, and you want to set up a website, then you set up - again, let's say - WordPress, then you don't have to worry about it, because it's a purely personal activity and the providers of the trackers have the burden of compliance here.

I'm not saying "yaay, it's the best thing ever", and it'll surely change as courts and data protection authorities of member states interpret and apply the regulation (and then cases against those go through the courts), but it's certainly a serious attempt at some sort of ideology about personal data. And the tracking and cookies is completely irrelevant most of the time. (After all almost all sites really don't know and gather more than your IP address and your user-agent.) However. Malicious users can inject all kinds of CSS-based history-leaking nasty stuff, and big players like FB and G can naturally feel that building a universal profile based on your activity and data and visits of others sites (where G or FB is embedded), and that's what this is about. That now there's a decision that you have a right to know what G/FB/etc does with your data. How that profile looks like and what happens to it, who has access to it, and who does what with it.

> What's the chance that every single website owner everywhere never gives out personal data to the wrong person? I would say that that chance is effectively zero.

Great point. It leads to a very important discussion about security. Sites are very lousy when it comes to social engineering. (And this is somewhat covered already: https://gdpr-info.eu/recitals/no-64/ )