Sure, but there are different kind of mistakes. Surgeon can make a mistake, but it's a different kind of mistake if instead of a surgeon, a plumber cuts the patient with a kitchen knife.
I agree it's a difficult problem and it's hard to define boundaries, but some level of competence is welcome when handling data that belongs to other people.
If you start some internet service, I expect you not to lose my data (in some lame way, s.h.), just like I expect my car mechanic not to destroy my engine.
edit: to give it context, I closed my programming website with thousands of active users that I had for almost 20 years because of GDPR, I'm not a big fan of it, but what I like even less is when complete incompetence when handling personal data results in zero consequences
Yes, people make mistakes. And by deciding to create a business around other people's personal information some mistakes are bad enough to merit a fine.
All sorts of civil offences and crimes can be mistakes. While "it was an accident" might lower the penalty it doesn't negate the fact the mistake was made and people might have been hurt.
The idea that we should hold companies that profit off people's personal data blameless if they manage to "make a slip-up" with it is absurd. The only other industry where we accept those kinds of mistakes is Wall Street and we all know how well that policy has gone.
>deciding to create a business around other people's personal information
>profit off people's personal data
Have you "decided to create a business around destroying the environment" and "profit off CO2 emissions" because your office is heated in the winter? GDPR is not specific to the adtech or data brokerage industries.
Yes, climate change effects would probably be a more accurate analogy -- but many people are very much against carbon tax schemes so it felt best to avoid that comparison.
GDPR doesn't prevent you from collecting personal data. It only requires you to have a clear reason for collecting everything and being transparent about what data is collected and how it is processed.
The examples here make clear that "a clear reason for collecting everything" means an ironclad justification for each field, each bit of precision, each minute of retention. That is not a casual thing. As in, one of the fines here is for retaining a phone number to fulfill a need to communicate, when postal mail could have worked instead.
It is doable, if you have the lawyers and the time. But that's not a degree of scrutiny you want to gamble your life savings on for a personal project.
Well, suppose he does some transformation involving position. GPS points also have altitude in them. He neglects to sanitize altitude at the point of collection, and is therefore collecting and retaining more data than necessary to perform the service. He plots positions on a relatively zoomed-out map. Only the first six significant figures make a perceptible difference in the map position, but he retains the same precision that was uploaded, usually higher. Again, failure to minimize. Worse, he enabled automated periodic VM snapshots with his VPS provider, so is not properly complying with deletion requests.
Now he has "decided to build a business around profiting from the abuse of personal data" and the consensus in this thread looks on his destruction with glee.
> Worse, he enabled automated periodic VM snapshots with his VPS provider, so is not properly complying with deletion requests.Worse, he enabled automated periodic VM snapshots with his VPS provider, so is not properly complying with deletion requests.
This is typical FUD. GDPR allows backups. Right to be deleted doesn't mean grovelling through backups. If those snapshots are rotated out after e.g. 3 months he is fine.
And regarding sanitizing altitude. Again pure FUD. There is no way that that would be a problem.
Of course if he stores the data in a personally identifying way and then is either incompetent or abusive then he could attract a fine...
In the real world GDPR enables such websites because users can trust that he has to follow some minimum standards.
You receive an email with a request for a privacy statement? Great, one way or the other, that's work with potential legal repercussion, which means you probably should talk to a lawyer. Additional expenses and hassle for no good reason.
You make a fix in the email system that accidentally emails everybody at the same time? (It almost happened.) Oops. There's your exposure to some nice fine.
You don't need to be abusing somebody's privacy to be concerned about legal exposure. Just like there are asshole companies, there are asshole users as well who can make your life miserable.
Any hobbyist who doesn't take this kind of exposure into consideration is naive.
I'm sorry but every website collecting personal data should set out clearly and simply what it is used for and how it can be distributed. For asmall hobbyist site you don't need a lawyer, there are plenty of decent templates out there.
If you make a mistake and you do so honestly, not out of malice and fix it, you are very unlikely to get a fine - you will get guidance and a warning. Unless you are being egregiously slip-shod.
Storing user names and passwords in plain text when you have several hundred thousand users is not a "honest mistake" in 2019. In other fields a commercial entity failing basic security practices can be considered criminally negligent.