Hacker News new | ask | show | jobs
by dmurray 638 days ago
> ^-- All that seems to go against your assertion that you just have to "not track them", if you have to build out a system for everyone to access all data you hold about them, rectify it, delete it, verbally or in writing, without delay.

If you don't track people's data, that "system" becomes an automated email reply with "we don't have any data about you".

But if you deal with individuals, probably you do want to collect at least some data that would be subject to the GDPR protections, and it is definitely easier to forget all about it.
1 comments
LegionMammal978 637 days ago
Given that most things are personal data under the GDPR (e.g., IP addresses have been considered personal data, and things like usernames are clearly personal data), I don't think most companies can get off quite that trivially, short of being completely stateless and never logging anything.
link
anonzzzies 637 days ago
You can log with log if you have good reason; you just have to delete them after a reasonable time. Nothing about this is hard or costly if you think about from the start. Your 'forever data' basically should never contain PII as some users might have terminated their accounts etc so then their info cannot be in some cold store tape archive. Again, not complex; delete backups after a reasonable time and throw away the encryption key.

The intent of the gdpr is that you think about all of this and not simply store everything to mine, have stolen, leak or sell later on. The problem is that many companies or the software they use is literally build to abuse that data so then it is indeed 'hard' and expensive to comply.

link
LegionMammal978 637 days ago
Sure, but regardless of your data-retention period, you still have to know where to find everything derived from anything user-generated, if you want to accurately respond to requests. You're free to argue that the GDPR is making companies do things that they already ought to have been doing, but my point is that "just don't be one of those evil user-tracking companies" is not a viable compliance policy in itself.
link
Dylan16807 637 days ago
If your data retention period is less than your response time (which has to be less than a month), can you not say "everything we had at the time of request is deleted" and be done with it?

A reminder that we're talking about passing visitors without accounts here, and for logging and analytics there shouldn't be a need to store anything longer than a couple days.

link
anonzzzies 637 days ago
Yes, that's true, it is part of the intent though, that's why people say this I guess.
link