General Data Protection Regulation (GDPR) - useful/practical tips for small developers

[ghettosynth]

Not to derail the topic too far, but, isn't ZeroG located in the UK? Just asking because I've yet to get a GDPR email from them? Plenty of flash offers though!

If you are not a customer and their newsletter was not GDPR-compliant before, this should stop after May-25. If you bought from them, however, they may be entitled to send you emails (provided you agreed to that at some point).

Richard

Ah, I see. I'm not completely up on this GDPR thing. I have bought from them, but, I've also purchased from many other vendors who have sent me the emails. I was assuming that it was necessary for every vendor in the EU to confirm my opt-in status. I've not get many emails from U.S. vendors though. I wonder if that's because that they know that I'm in the U.S.?

[BMoore]

And the one of the best features of GDPR is that you now can't be forced to accept/install/give permission to anything additional that's not required to use the service or product itself.

[BMoore]

This whole thing is quite a bit about "if and once data is breached, have a really good reason why you had it in the first place". So if data isn't essential, remove it. If you can anonymize, do so. If someone handles the data (customer support, newsletter etc.), know what they do, and restrict it to the amount of information necessary.

No. This is wrong. Data breach is a part of GDPR, but "this whole thing is quite a bit about" privacy and user rights.

[koalaboy]

This whole thing is quite a bit about "if and once data is breached, have a really good reason why you had it in the first place". So if data isn't essential, remove it. If you can anonymize, do so. If someone handles the data (customer support, newsletter etc.), know what they do, and restrict it to the amount of information necessary.

No. This is wrong. Data breach is a part of GDPR, but "this whole thing is quite a bit about" privacy and user rights.

They're the same thing. If there is a data breach, the privacy and user rights are compromised. GDPR isn't as much about 'ethical' use of data as people would like to think, although a lot of integrity comes from that fact that usage has to be ascertained at every step in the pipeline (it's no longer about a company in isolation), but protecting data and ensuring it (ideally) never ends up where it isn't meant (declared) to be.

It replaces the Data Protection Act, and widens the responsibility to cover the data as it flows through companies, but it doesn't necessarily look towards privacy as a central point - many aspects don't require opt-in (you'll still be shown adverts on the web, and your purchases tracked, but the data should be anonymised and/or limited to the businesses declaring legitimate use rather than freely being thrown around).

[BMoore]

This whole thing is quite a bit about "if and once data is breached, have a really good reason why you had it in the first place". So if data isn't essential, remove it. If you can anonymize, do so. If someone handles the data (customer support, newsletter etc.), know what they do, and restrict it to the amount of information necessary.

No. This is wrong. Data breach is a part of GDPR, but "this whole thing is quite a bit about" privacy and user rights.

They're the same thing. If there is a data breach, the privacy and user rights are compromised. GDPR isn't as much about 'ethical' use of data as people would like to think, although a lot of integrity comes from that fact that usage has to be ascertained at every step in the pipeline (it's no longer about a company in isolation), but protecting datha and ensuring it (ideally) never ends up where it isn't meant (declared) to be.

It replaces the Data Protection Act, and widens the responsibility to cover the data as it flows through companies, but it doesn't necessarily look towards privacy as a central point - many aspects don't require opt-in (you'll still be shown adverts on the web, and your purchases tracked, but the data should be anonymised and/or limited to the businesses declaring legitimate use rather than freely being thrown around).

Uh. No, and no. DPA is a UK thing.

[koalaboy]

Uh. No, and no.

Fair enough. I'm neither a lawyer, nor a Data Protection Officer, and would certainly advise anyone wanting the correct advice to not get it from an internet forum.

I'm simply offering feedback with respect to legal advice we've been receiving at work. YMMV.

[sjm]

The GDPR law has nice intentions but makes no sense in practice.

Most of it has been law for yonks already. The big change is only affecting data harvesters in other countries who collect data to sell it.

Companies that have already been behaving ethically do have to make some changes (like announcing publicly who to contact if you want to see your data/rectify it), and specifying why the data is needed, but there should be no wholesale changes required.

Of course, if you've been adding every email address you ever saw to your mailing list and have been collecting information on your customer's sexual orientation and religion, that's your come-uppance for being a tit.

My 2c as someone who's responsible for handling this stuff at work.

[Urs]

This whole thing is quite a bit about "if and once data is breached, have a really good reason why you had it in the first place". So if data isn't essential, remove it. If you can anonymize, do so. If someone handles the data (customer support, newsletter etc.), know what they do, and restrict it to the amount of information necessary.

No. This is wrong. Data breach is a part of GDPR, but "this whole thing is quite a bit about" privacy and user rights.

At least for German companies, privacy and user rights have been in place for quite a while (1997 I think). All those parts of GDPR are a piece of cake for us. The largest part of our expenses (again, a 5-digit sum in Euros, maybe 6 if we factor the whole website into it) went into security infrastructure, and moving data from the web (where people always had it, and many still do) to closed servers behind multiple firewalls.

Also, the enormous fines in the law are tied to data breaches, which among hacking and stuff also encompass using the data for purposes other than what consent was given for.

[BMoore]

This whole thing is quite a bit about "if and once data is breached, have a really good reason why you had it in the first place". So if data isn't essential, remove it. If you can anonymize, do so. If someone handles the data (customer support, newsletter etc.), know what they do, and restrict it to the amount of information necessary.

No. This is wrong. Data breach is a part of GDPR, but "this whole thing is quite a bit about" privacy and user rights.

At least for German companies, privacy and user rights have been in place for quite a while (1997 I think). All those parts of GDPR are a piece of cake for us. The largest part of our expenses (again, a 5-digit sum in Euros, maybe 6 if we factor the whole website into it) went into security infrastructure, and moving data from the web (where people always had it, and many still do) to closed servers behind multiple firewalls.

Also, the enormous fines in the law are tied to data breaches, which among hacking and stuff also encompass using the data for purposes other than what consent was given for.

Even more BS.
Oh well. Can't teach em all.

[Cyforce]

+ combined with EU MOSS VAT... sometimes the thoughs migrate far away from the EU coming more often

As mentioned above, it was forbidden in Germany to memorize any IP address.. ..for years! It was overriden a few years later. Millions of businesses acting illegal for a decade! Nobody's in jail due to this.

It's good to fight, sabotage, or simply ignore unhealthy laws and regulations. I don't accept the irrational part of the deal, and I'm relaxed. Most EU regulations aren't worth the paper, have little durability.

I'm not running a shady online casino after all, any (national) judge will be able to understand that in doubt.

Well german laws are also difficult, for example some internet provider store all your connection data 48 hours, some only 24 hours etc. The mix of EU laws + german laws - "lovely"

The worry in my eyes or mind is not to miss a little detail in paperforms concerning the GDPR, it`s more the admonish-laywer... which will fly around the web like hungry vultures to send out admonish letters with "we demand XXXX € or we go to court" because a little blog or shop missed something in their GDPR files. And this is a true shady buisness, effecting many small and middle-grade companies all the time. Just a month ago i readed an interesting article about it, one company (as prime example) had some miss-spelling in their product description, a "vulture" saw it, send them an admonish letter "pay this and this or we meet in court", and smaller companies mostly can`t bring up the time, money & consulting to go that way, so in most cases they pay the admonish demand and done.

And now with GDPR - there is sooo many things through this vultures can find someting to see a reason to threat a company to sue them. Even if GDPR has good intensitions for the users, for companies it`s highly threating. Just as Urs written, the time & costs through one law - it`s much... for smaller companies for sure less, but most of them maybe can`t afford good consulting if sh1t hits the fan.

What confused me heavily as well the last weeks through GDPR, when you look around, how other companies adapt (or if they adapt), when you find a well known plugin company, located in germany - but having not even an imprint on their website/shop - and just by german law, this is already against the law. But mhm well it`s kinda like russian roulette - some get through over years with missing pages and legal notices, others maybe get spotted by vulture lawyers and had only one piece wrong and had to pay for it a 4- or 5-digit amount of money...

Not to derail the topic too far, but, isn't ZeroG located in the UK? Just asking because I've yet to get a GDPR email from them? Plenty of flash offers though!

If you are not a customer and their newsletter was not GDPR-compliant before, this should stop after May-25. If you bought from them, however, they may be entitled to send you emails (provided you agreed to that at some point).

Richard

Many developers sending right now newsletters out for re-signup, because you can only (as far as i have written in the last days with all the different opinions if EU or local state law decisions are in that case higher ordered) that you can only keep your current newsletter subscriber pool, if this completely and the full time filled through double-optin and fitting the local law. If you had only single-optin - well, you can`t use them after 25th may i think.

[sjm]

The vulture lawyer thing only works if you actually pay. Extortion generally doesn't play well in courts, as some of those who tried to pull this trick with illegal downloads found out some years ago. It's not the vultures you need to worry about, it's the fines for non-compliance, particularly for serious data breaches.

Be aware that you don't need to have a page called "impressum" or "legal notice"* to comply (this is a common misconception); you need to provide the contact information of the company/person behind the website. If you want to know the exact details that need to be included, you'll have to look it up for Germany. It is pretty common to have a separate page of course.

* I would consider "Imprint" a mistranslation and false friend that is likely to confuse anyone not in Austria or Germany. This terminology normally indicates the translator is not a native English speaker.

[Richard_Synapse]

Many developers sending right now newsletters out for re-signup, because you can only (as far as i have written in the last days with all the different opinions if EU or local state law decisions are in that case higher ordered) that you can only keep your current newsletter subscriber pool, if this completely and the full time filled through double-optin and fitting the local law. If you had only single-optin - well, you can`t use them after 25th may i think.

Subscribers and customers are not the same thing. See Recital 47 in the GDPR, "Legitimate Interest". This doesn't mean you can bother your customers with random nonsense every day but ihmo you can inform them about important updates, for example.

If a customer explicitly opts-out you must not send them anything of course, but that's just common sense.

Richard

[Urs]

This whole thing is quite a bit about "if and once data is breached, have a really good reason why you had it in the first place". So if data isn't essential, remove it. If you can anonymize, do so. If someone handles the data (customer support, newsletter etc.), know what they do, and restrict it to the amount of information necessary.

No. This is wrong. Data breach is a part of GDPR, but "this whole thing is quite a bit about" privacy and user rights.

At least for German companies, privacy and user rights have been in place for quite a while (1997 I think). All those parts of GDPR are a piece of cake for us. The largest part of our expenses (again, a 5-digit sum in Euros, maybe 6 if we factor the whole website into it) went into security infrastructure, and moving data from the web (where people always had it, and many still do) to closed servers behind multiple firewalls.

Also, the enormous fines in the law are tied to data breaches, which among hacking and stuff also encompass using the data for purposes other than what consent was given for.

Even more BS.
Oh well. Can't teach em all.

BS? On what? Are you an expert for German BDSG which the GDPR was largely base upon? Or do you not believe my claims that we spent so much money?

Oh wait, I think you don't have any insights in any of this.

A few example spendings on data protection, specifically on preventing possible breaches:

- new alarm system with special ceritification for the office (8000€)
- new cupboards which are lockable (2000€)
- new firewall/router system (4000€) with 10 satellites (500€ or so each) for external people because VPN-no-more
- consultants (few grand)
- external data security officer (few grand per year)
- renting a shredding ton because our small shredder won't cut it anymore (couple hundred bucks a year)

...and that is before the amount of work which went into planning and developing a new information flow & structure, including a website that is fully rendered offline, i.e. has no active server scripts. Done over months and years by people who get actual salaries.

[otristan]

FWIW, the data security officer is only for company with more than 250 employee AFAIK.

http://www.privacy-regulation.eu/en/recital-13-GDPR.htm

[Urs]

FWIW, the data security officer is only for company with more than 250 employee AFAIK.

http://www.privacy-regulation.eu/en/recital-13-GDPR.htm

Nope, you need one as soon as you handle certain employee data (that record-keeping bit?). We have confirmed this with both our data protection authority and - yep - our data security officer.

Furthermore, external data security officers shift a lot of the liability away from the company. Which we thought is a good thing during the initial phase of enforceability of the law.