General Data Protection Regulation (GDPR) - useful/practical tips for small developers

DSP, Plugin and Host development discussion.
Post Reply New Topic
RELATED
PRODUCTS

Post

Cyforce wrote:[...]if you use a website based on wordpress and using a security plugin like WordFence - right now it would violate the GDPR law, so in some ways/points it`s also kinda wait&hope that they will be fixed in time, next to the negative point that you probably have to giveaway many functions or possibilites in your current settings (especially on social network base).
I think that HTTPS, the (annoying) extra checkboxes in most forms, and a new privacy policy is a sufficient demonstration of good will. At least small companies don't have the reverse burden of proof. Here, it seems to me that any abuse must be proven by an external, one that doesn't have legal access to "my" systems.
In that sense, I personally give little weight to such nerdy, internal details.

I also remember well a German regulation from about a decade ago, forbidding to memorize IP addresses. What happened? Everybody ignored it (I worked for SAP back then, and they did of course), until authorities realized how stupid the idea was. I remember the panic back then, and nothing happened.

(German)
https://www.heise.de/newsticker/meldung ... 54157.html

Entrepreneur friendliness has a higher priority than publicly admitted (even in France lol). Some say it's likely the only binding force behind the EU. ;)
Fabien from Tokyo Dawn Records

Check out my audio processors over at the Tokyo Dawn Labs!
Top

Post

#OT

Sorry for an unrelated discussion, but what happens if every government get inspired by the EU VAT and decide that their citizens ought to pay VAT in their own country?

For example for selling on Steam you must register to the US IRS, and tbh I don't know what this really implies when selling direct to US customers.

Now if this VAT trick gets popular amongst law producers, would we have to register to every government's fiscal department? Now that would be complicated and discomforting.
Checkout our VST3/VST2/AU/AAX/LV2:
Inner Pitch | Lens | Couture | Panagement | Graillon
Top

Post

Apparently, VAT is pretty much everywhere now. We go through ShareIt and there's VAT/GST in Australia, Turkey, some US states and some others. Never used to be, but it seems that local tax authorities start to understand the digital market a bit better than they used to.
Top

Post

FabienTDR wrote:I think that HTTPS, the (annoying) extra checkboxes in most forms, and a new privacy policy is a sufficient demonstration of good will. At least small companies don't have the reverse burden of proof. Here, it seems to me that any abuse must be proven by an external, one that doesn't have legal access to "my" systems.
In that sense, I personally give little weight to such nerdy, internal details.

I also remember well a German regulation from about a decade ago, forbidding to memorize IP addresses. What happened? Everybody ignored it (I worked for SAP back then, and they did of course), until authorities realized how stupid the idea was. I remember the panic back then, and nothing happened.

(German)
https://www.heise.de/newsticker/meldung ... 54157.html

Entrepreneur friendliness has a higher priority than publicly admitted (even in France lol). Some say it's likely the only binding force behind the EU. ;)
Even in smaller scale there`re many little points to think oft, as you already mentioned:
- SSL
- Privacy Police (mentioning all points of the specific website & tools/plugins which have anything to do with personal data processing and cookies)
- Checkboxes (+ link to privacy police) in contact forms and coment areas

but besides that...
You can`t have any soundcloud player any more as embedded on your website, because with it as embedded player/playlist, there will be automaticly soundcloud-based cookies working before the user even can say yes or no to the cookie, so not GDPR confirm.

Youtube videos embedded is also (through the cookie issue) not fully confirm with the GDPR, even with privacy setting used while generating the embedded shortcode.
(and with business focused on audio/music/sounds - soundcloud + youtube is a essential piece of the way how to demonstrate users your product)

You need to give the user the option to get a full report what data you have of him, through visiting your website + the option to erase all that data. Technically for many sites/systems not that easy to make in some days.

You also need contracts (in german called AD/ADV) with your host provider, google anaylstics for example, your newsletter service etc. Also "ironic" that many lawyers aren`t sure, based on the GDPR wording itself, if the necassary contracts have to be in paper form, or if its enough by completely digital form.

Cookie Notice is a must as well on your website (and it should not cover up/overlay the direct link to the privacy police page - if you use it for example in the footer)

Newsletter aswell is a big drawback for many companies, create a completely new pool, and ask all your previous subscribers if they want to join the new pool, because you can`t use the old pool after 25th may.

And in addition, depending on which system you use for your website, for some essential plugins like security, you have probably to wait till the last day for an essential update to make it GDPR confirm. For example, if it uses IPs to block unwanted guest or spam etcs...

+ combined with EU MOSS VAT... sometimes the thoughs migrate far away from the EU coming more often :lol:
Top

Post

Urs wrote:Apparently, VAT is pretty much everywhere now. We go through ShareIt and there's VAT/GST in Australia, Turkey, some US states and some others. Never used to be, but it seems that local tax authorities start to understand the digital market a bit better than they used to.
Which makes it for everyone who wants to sell his digital goods directly via his own website/shop extremly more difficult in the future. External services like ShareIt handle it and saving a lot of work (even with some negativ things but also positive features like affiliate system build in), but if you really want to sell directly with user accounts etc - it`s complicated more than ever.

Also through GDPR now, for example, if you have a standart wordpress based site, using a shop plugin/extension for the direct sale with a payment gate (like paypal etc) - you have to track the user`s location and provide clear proof if it`s location/country to be confirm with the MOSS VAT regulation and be able to generate the reports for the (in your country tax sub office for that issue) etc etc - but by tracking the user`s location and store the data etc - it gets in conflict with GDPR. So a website with direct selling way and no external service like ShareIt is right now, mhmm extremly difficult i think, at least without losing much time in additional work for laws, tax reports and submission and more.
Top

Post

Cyforce wrote:Also through GDPR now, for example, if you have a standart wordpress based site, using a shop plugin/extension for the direct sale with a payment gate (like paypal etc) - you have to track the user`s location and provide clear proof if it`s location/country to be confirm with the MOSS VAT regulation and be able to generate the reports for the (in your country tax sub office for that issue) etc etc - but by tracking the user`s location and store the data etc - it gets in conflict with GDPR.
Tax law, and probably other regulations, override the GDPR. This is why that whole thing about "forgetting data" is a laughing stock. Customers can ask for removing completely unimportant data, like an email sent weeks ago, but actually important data cannot be deleted. The GDPR law has nice intentions but makes no sense in practice.

Richard
Synapse Audio Software - www.synapse-audio.com
Top

Post

It seems GDPR is a way for the regulator to have more leverage over Google, Facebook and such (EU VAT MOSS was supposed to be for Amazon) and coerce them to pay taxes through unenforceable law.
Checkout our VST3/VST2/AU/AAX/LV2:
Inner Pitch | Lens | Couture | Panagement | Graillon
Top

Post

Richard_Synapse wrote:
Cyforce wrote:Also through GDPR now, for example, if you have a standart wordpress based site, using a shop plugin/extension for the direct sale with a payment gate (like paypal etc) - you have to track the user`s location and provide clear proof if it`s location/country to be confirm with the MOSS VAT regulation and be able to generate the reports for the (in your country tax sub office for that issue) etc etc - but by tracking the user`s location and store the data etc - it gets in conflict with GDPR.
Tax law, and probably other regulations, override the GDPR. This is why that whole thing about "forgetting data" is a laughing stock. Customers can ask for removing completely unimportant data, like an email sent weeks ago, but actually important data cannot be deleted. The GDPR law has nice intentions but makes no sense in practice.

Richard
We'll be offering complete removal of data, but people will have to accept that their licenses become NFR: Win-win.

That said, we only keep the monthly overview from ShareIt, not the full report.
Top

Post

Urs wrote:We'll be offering complete removal of data, but people will have to accept that their licenses become NFR: Win-win.

That said, we only keep the monthly overview from ShareIt, not the full report.
Sure people can have their user account removed completely (it would simply be a loss for the customer though, I really see no gain here). The point is this: actually relevant data (i.e. the invoice data kept by ShareIt, not us developers) will not be deleted because this data must be kept for a minimum of 10 years. So if someone wants to somehow "disappear" from the internet, it just won't happen I'm afraid. And good luck emailing the NSA asking for removal of your personal data! :hihi:

Richard
Synapse Audio Software - www.synapse-audio.com
Top

Post

Cyforce wrote:+ combined with EU MOSS VAT... sometimes the thoughs migrate far away from the EU coming more often :lol:
As mentioned above, it was forbidden in Germany to memorize any IP address.. ..for years! It was overriden a few years later. Millions of businesses acting illegal for a decade! Nobody's in jail due to this.

It's good to fight, sabotage, or simply ignore unhealthy laws and regulations. I don't accept the irrational part of the deal, and I'm relaxed. Most EU regulations aren't worth the paper, have little durability.

I'm not running a shady online casino after all, any (national) judge will be able to understand that in doubt.
Fabien from Tokyo Dawn Records

Check out my audio processors over at the Tokyo Dawn Labs!
Top

Post

Not to derail the topic too far, but, isn't ZeroG located in the UK? Just asking because I've yet to get a GDPR email from them? Plenty of flash offers though!
Top

Post

ghettosynth wrote:Not to derail the topic too far, but, isn't ZeroG located in the UK? Just asking because I've yet to get a GDPR email from them? Plenty of flash offers though!
No answer to that, but it doesn't matter if a company is outside or inside EU, as long as they offer services to EU citizens, they must comply with GDPR.
Cats are intended to teach us that not everything in nature has a function | http://soundcloud.com/bmoorebeats
Top

Post

ghettosynth wrote:Not to derail the topic too far, but, isn't ZeroG located in the UK? Just asking because I've yet to get a GDPR email from them? Plenty of flash offers though!
If you are not a customer and their newsletter was not GDPR-compliant before, this should stop after May-25. If you bought from them, however, they may be entitled to send you emails (provided you agreed to that at some point).

Richard
Synapse Audio Software - www.synapse-audio.com
Top

Post

Richard_Synapse wrote:
Urs wrote:We'll be offering complete removal of data, but people will have to accept that their licenses become NFR: Win-win.

That said, we only keep the monthly overview from ShareIt, not the full report.
Sure people can have their user account removed completely (it would simply be a loss for the customer though, I really see no gain here). The point is this: actually relevant data (i.e. the invoice data kept by ShareIt, not us developers) will not be deleted because this data must be kept for a minimum of 10 years. So if someone wants to somehow "disappear" from the internet, it just won't happen I'm afraid. And good luck emailing the NSA asking for removal of your personal data! :hihi:

Richard
This is my understanding as well. Devs that work with payment processors like Share-it cannot promise customers to be forgotten. GDPR is not only applicable to the devs, but also to its partners in the chain, and payment processing partners are required to keep the data for 10 years to comply with legal and financial requirements.
Top

Post

Urs wrote:If a customer contacts you and you need to retrieve data, hash his email address and find a match. (the law encourages anonymization of data)
Just for reference, Urs, we've been told (working in an industry that deals with a *lot* of data) that hashing doesn't actually satisfy anonymisation as it still uniquely identifies a person, just not directly. If it's unique enough for the business to identify someone, it's not anonymized (just obfuscated).

Obviously there's far more to it than this - life is very interesting at work in this regard.

The only true advice for anyone, I think, is seek legal counsel (and at the very least, talk with a GDPR advisor or similar with respect to your business area).

Or just don't deal with Europeans ever again :dog:
Top
Post Reply

Return to “DSP and Plugin Development”