Uh oh. I'm all for cutting the red tape, but (in my opinion) the GDPR is: 1) easy to comply with if you're not doing nasty stuff with people's data, 2) actually needed.
You're on a forum supported by a startup accellerator for entrepreneurs who want to get stuff up and running with as little friction as possible. It's fairly obvious that Sinclair's quote would ring true here.
Smaller entities should still be required to fix/delete your personal data on request, imho.
I'd also appreciate if the exception was conditional on not selling any data or using it for external advertising (i.e. "you might also like" suggestions would be okay, as long as they're part of the same service)
It's easy as long as you're a corporation. It's onerous for a human person. Like the EU's excellent Digital Markets Act, GDPR should be altered to only apply to corporations. It'd be better if like the DMA it only applied to very large corporations, but just corporations is still way better than the status quo.
It's also easy if you simply stop trying to track users and only store the most necessary data. Like, no one ever seem to consider this.
Meanwhile, this same community a few days back were discussing the idea of trying to abolish advertisement. That's truly bluesky thinking if we're still justifying user tracking in 2025.
I only "store" my webserver's logs and user submitted comments. But someone can still put the legal pressure on me, a random person, to force me to do work to turn over those logs/etc. It's wild. Like having a security camera, hosting a BBQ for the neighborhood, and having a neighbor demand access to the recorded video with legal threats. This whole thing really only makes sense in the context of for-profit incorporated persons. It should not apply to me, a random human person.
You have up to 30 days to respond to access/edit/delete requests.
It's accepted practice to only keep logs for e.g. 48 hours and respond to any request with 2 days delay "we've got no logs from that timeframe anymore".
Why do you store your webserver's logs? My reading of the GDPR (I am not a lawyer) is that it strongly encourages site owners to store the very minimum amount of data about visitors - something that I wholeheartedly agree with.
Server logs are useful for debugging the site but also contain potentially identifying information (IP addresses) so I have my site delete them after 48 hours.
User submitted comments are obviously required for the usage of your site, so you are in the clear there.
I read the logs with my human eyes manually because I am interested in learning about the web and internet. In fact today I found a whole new useful search engine because I saw it's spider in my logs.
It turns out that http://www.rightdao.com/ is a great old-style search engine that actually returns many tens of pages and thousands of results. As opposed to google that only ever returns <400, bing <900, and kagi <200.
I guess I keep logs because I want to interact more directly with the internet as a whole and experience the serendipity that comes with that.
I shut down a couple of my websites that provided a service for free (streetlend.com and cointouch.com) because the GDPR was too ambiguous for me to be 100% sure I complied with - and in the past online I have encountered vexatious people who have to tried to damage my reputation. On one of my other websites, those people used GDPR privileges (eg making vexatious SAR requests) simply to make my life more difficult.
At the end of the day, I create helpful and fun websites for free in my spare time because I enjoy it.
EU regulation created jeopardy and friction that meant I couldn't justify doing this anymore.