[cccbbbaaa]

Oh, no, there's more.

You must list all kinds of data processing you perform, find the appropriate legal basis (and data retention duration, etc.), make sure you only gather data you need (data minimization), know to who you transfer data, make your services secure by default, monitor for unauthorized access, and tell affected people when there is a breach. Perhaps make a risk assessment, but it depends on the processing you do.

Yes, it's work. But quite frankly, I'm cool with a law that expects anyone who processes personal data to secure their service, to properly inform people, and holds them accountable.

[midasuni]

So you are choosing to capture personal data.

[cccbbbaaa]

Personal data has a very wide definition under GDPR:

>‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

An IP address, or an email address is personal data. Even a pseudonym or a session ID is personal data. Yes, having a log for security purposes (GDPR recital 49) captures personal data (even just access dates and requested URLs may be considered to be personal data). Yes, a comment section on a blog may capture personal data.

Once again, I'm fine with all of this. But ignoring GDPR by not capturing personal data is more complex that it might seem.