[klingon78]

The US has a similar privacy law in California they must support, and many companies have presence globally, so they are having to deal with this in the following ways, like many others.

GDPR has given a 50M EUR handslap to Google and similar to some other large companies[1] while seriously hurting smaller companies with existing custom web applications for whom they may not even have someone on staff to modify those to be GDPR-compliant.

Small businesses like others must determine what PII is, how to anonymize it, and how to remove it when users request their PII to be removed. PII could be in their server logs or other locations that are inaccessible to most employees of the business. Backups might be excluded from PII scrubbing, but so much is unclear.

Let’s also talk about what it doesn’t protect. PCI, not GDPR, attempts to provide protection for cardholder data. GDPR doesn’t protect against PII that was previously shared. Nor does it protect from data being stolen, unless the user had their data removed prior.

[1]- https://dataprivacymanager.net/5-biggest-gdpr-fines-so-far-2...

[Kim_Bruning]

It's actually fairly easy to be GDPR compliant almost by default, TBQH. It either takes a lot of effort or a lot of laziness to somehow end up non-compliant.

[klingon78]

Removing or anonymizing PII in a large system not already designed for PII removal or one you don’t have resources to manage can be painful.

Companies of all sizes can have a lot of PII and code that’s not GDPR compliant, and it’s non-trivial to fix that. When asked by a user to remove PII, the removal is sometimes incomplete at these companies. Even the process of incompletely the removing PII wastes time; the users requesting PII removal often didn’t even do business with the company, in my experience.

Companies of all sizes but often small companies hire out development of web apps that keep PII and may not have someone permanently on staff to maintain it to make the changes needed to allow users to remove their PII.

I’d go so far as to say that I’d intentionally not work with users if I knew they would be painful to work with, leaving me with nothing but a legal requirement to wipe their asses because they used my old site. I hope that EU didn’t intentionally do this to hurt small businesses and foster new startups within the EU to brunt the cost of this stupid, stupid law.

I’m a privacy advocate.

[Kim_Bruning]

So you are saying:

* A company is holding PII in a system they don't have the resources to manage .

* The software is insufficiently secure to hold that data.

* The company appears to be even be holding data on people that didn't even do business with the company.

* This is in-part caused by the (sub)hiring of companies that also were not scrupulous with PII in the past.

You say that this hurts said company, and they are going to stop doing that.

I'd say this is the exact intended effect of the law. Not so stupid after all!

Meanwhile, for people who scrupulously and ethically avoided collecting extraneous PII in the first place; I think the GDPR provides no great additional burden.

[klingon77]

An email address is PII. Given that many preexisting systems used email addresses as usernames to identify users, let’s say a small business in 2015 hired a company to create a web app which let a user create an account using their email address and it put the email address into a log file with that user’s activity. The contracted developer finished the site, which cost 25000 EUR, much more than the business could afford to spend on tech another ten years. If this company gets 500 GDPR requests and cannot remove the PII because they don’t have the skill or money, should that company be fined? Should it shut down? What if there were 14 million companies with the same problem?

[katbyte]

So peoples PII should be just sitting there unregulated because companies can't afford to clean up their privacy messes?

[rsj_hn]

You are asking a question as if this was some sort of moral issue, and that's pretty much guaranteed to lead to terrible decisions -- ultimately immoral decisions -- so my advice is to not approach technical problems through a moralistic lense, but through a technical lense.

The situation we have now is that massive amounts of code and business processes that were created without the assumption that things like email addresses were protected information that users have a right to purge whenever they want. It doesn't particularly matter if you think this is right or wrong, what matters is that this is how the world is. So then, what to do about it?

A rational approach is to try to look at a cost-benefit analysis of various solutions -- how much would it take to refactor the code and update the business processes? More importantly, how much would it take to put into operation controls that effectively ensure that all the data was deleted? Finally, how much would it cost to get rid of all that data -- remember companies can have tape backups, recovery centers, and data was sprayed everywhere for decades.

So you get some number, say a hundred billion. Is it still worth the expense? Could there be some other solution?

For example, force companies to delete old data after X years, where X is say 10 after the business relationship has been ended. Or some other approach. That approach might cost only 20 billion. Or force companies to do this for new code and business processes but leave the legacy ones in place for X years. That might be only 10 billion.

As another example, look at C code. It's unsafe. We are aware of the problems with C code now and have discovered safer languages. But the cost of rewriting the existing pool of C code is huge. It doesn't help to wring your hands and approach this from a moral argument -- so security doesn't matter, we declare indignantly? Instead, look for practical ways of transitioning to safer languages over time, and other ways to isolate and mitigate the damage of unsafe code.

But at all costs, understand the limitations involved, and craft remedies that give you the most bang for the buck, because resources are limited and a dollar spent on this is a dollar not spent on some other cause, which might be more worthwhile than being able to delete any email address on command from a customer letter.

[Kim_Bruning]

You could always have a corner case of course...

In this company, is there a solid technical reason why the log couldn't get rotated and/or aggregated and/or truncated to begin with?

Those are fairly typical things you might want to configure to do with a log; GDPR or no.

[imtringued]

I understand the economic downsides of GDPR. If you abolished it with the intention of gaining international competitiveness I would consider it an acceptable trade. I'm still split on whether GDPR really accomplished all that much.

[drstewart]

If "by default" you mean starting from ground zero, that's an almost meaningless statement.

If the government passed a law requiring all housing to be be built to code to survive a magnitude 9 earthquake in a region where there are no earthquakes, and every house needs to be retrofitted, would you say the burden is low? After all, if you start from scratch without a house there is no requirement to do anything! And building a new house is much easier, after all!

[Kim_Bruning]

That would be fair enough.

But this is more like trying to explain why your attic has strengthened beams that were not on the original (default) architectural drawings, and gosh what are all those bags of white powder doing there?

The government doesn't even make it illegal, mind. You just need to explain why, if someone asks politely.

( https://goo.gl/maps/UgRPhuxfXoezDJHB9 so this business still wouldn't get in trouble. )