General Data Protection Regulation (GDPR) - useful/practical tips for small developers

[ians]

There’s obviously s lot of people making a lot of money out of this. My wife’s school are even worried about having their children’s names on their school books. That’s the sort of unnecessary panic it’s causing amongst people who dont really understand this thing

[#rob]

The worry in my eyes is (...) the admonish-laywer... which will fly around the web like hungry vultures to send out admonish letters with "we demand XXXX € or we go to court" because a little blog or shop missed something in their GDPR files.

We talked about this problem to our data protection guys.
In short: don't worry about it too much.

If anything about your company or web site (regarding GDPR) is not in order, or appears not to be in order, or could potentially not be in order... then the first report ALWAYS has to go through the data protection authority. Courts will not handle cases like this.

The "vulture" lawyer has to report your company or web site to the appropriate data protection authority, they will then check the claims and contact you, give you a certain time period in which you can either prove that what you're doing is OK or fix anything that was wrong. Finally, they'll check your company or web site again to make sure everything is in order now.

If anything still isn't in order, despite the authority telling you to fix it and giving you an ultimatum to fix it by, only THEN would you get into trouble.

But you can safely refer any "vulture" lawyer who tries to extort you like that to your data protection authority. If they want to take your money for not obeying the law, make them obey the law first and make them go through the legally required instances.

[otristan]

FWIW, the data security officer is only for company with more than 250 employee AFAIK.

http://www.privacy-regulation.eu/en/recital-13-GDPR.htm

Nope, you need one as soon as you handle certain employee data (that record-keeping bit?). We have confirmed this with both our data protection authority and - yep - our data security officer.

Furthermore, external data security officers shift a lot of the liability away from the company. Which we thought is a good thing during the initial phase of enforceability of the law.

Well, they explicitly says
"To take account of the specific situation of micro, small and medium-sized enterprises, this Regulation includes a derogation for organisations with fewer than 250 employees with regard to record-keeping"

Except if you process sensitive data like health or stuff like that which is not the case in our business

[Urs]

Except if you process sensitive data like health or stuff like that which is not the case in our business

I'm not sure what the actual reason is, but the guys were pretty clear that we need a data security officer. In any case, it isn't a big deal to have one - even if it turns out we were advised poorly (by the data protection authority nonetheless), it's not like we're not allowed to have one

[sjm]

I also dunno the exact legislation, but we are well below 250 and have a DPO. Seeing as she is our in-house legal expert, I'm guessing she actually read the requirements.

[ThomasHelzle]

As I understand it: You need a DPO as soon as you have 10 or more people (employed) handling personal data regularly.
There seems to be some ambiguity about the owner(s) counting or not.

Cheers,

Tom

[otristan]

As I understand it: You need a DPO as soon as you have 10 or more people (employed) handling personal data regularly.

If you have references regarding this requirement, don't hesitate to post the URL.
Didn't found such information so far.

[ThomasHelzle]

As I understand it: You need a DPO as soon as you have 10 or more people (employed) handling personal data regularly.

If you have references regarding this requirement, don't hesitate to post the URL.
Didn't found such information so far.

A central place for good information was the german magazines c't and iX:
https://www.heise.de/suche/?q=DSGVO&sea ... rt_by=date
Another great resource (also german) is:
https://www.datenschutzzentrum.de/dsgvo/
And especially this one:
https://datenschutzzentrum.de/artikel/1201-.html

"Demnach ist eine Benennung eines DSB auch in folgenden Fällen erforderlich:

- es werden in der Regel mindestens zehn Personen ständig mit der automatisierten Verarbeitung personenbezogener Daten beschäftigt oder
- es werden Verarbeitungen vorgenommen, die einer Datenschutz-Folgenabschätzung nach Art. 35 DS-GVO unterliegen oder es werden personenbezogene Daten geschäftsmäßig zum Zweck der Übermittlung, der anonymisierten Übermittlung oder für Zwecke der Markt- oder Meinungsforschung verarbeitet;
dann muss unabhängig von der Anzahl der mit der Verarbeitung beschäftigten Personen ein DSB benannt werden."

Which basically translates to:

"Therefore a DPO is also necessary if:
- there are at least 10 people working regularly on the automated processing of personal Data or
- there is processing that requires a data-protection impact-assessment according to §35 GDPR or there is commercial processing of personal data for transmission, anonymised transmission or for the purpose of market- or opinion-analysis. Then a DPO is necessary independent of the number of people working on personal data"

(I'm not a native speaker so I hope I got it right).

Like Urs said, it may be better to be on the safe side and an external DPO may actually release some tension and stress if he/she knows his/her stuff and can help you get over the initial confusion and uncertainty by knowing that you have somebody who is specifically responsible for it.

Cheers,

Tom

P.S. another good german source: https://www.lda.bayern.de/de/datenschutz_eu.html

P.P.S. Regarding cookies it's not so clear cut: if you use cookies only for things like saving the chosen language of the visitor, the volume of your audio player or items in a shopping cart without creating any kind of ID to the visitor, the usage does not need a cookie banner.

P.P.P.S Another interesting blog of a german lawyer: https://www.delegedata.de/

[otristan]

This seems to be German only requirement

https://www.itgovernance.co.uk/data-pro ... r-the-gdpr

There is also scope with the Regulation for each EU country to specify other circumstances in which a DPO needs to be appointed. Data protection laws in Germany, for example, require every business with ten or more employees that permanently process personal data to appoint a DPO.

[ThomasHelzle]

This seems to be German only requirement

https://www.itgovernance.co.uk/data-pro ... r-the-gdpr

There is also scope with the Regulation for each EU country to specify other circumstances in which a DPO needs to be appointed. Data protection laws in Germany, for example, require every business with ten or more employees that permanently process personal data to appoint a DPO.

I just tried to look it up on the main GDPR website but it can't be reached...
https://www.eugdpr.org/gdpr-faqs.html
Originally the idea was, to have one regulation for the whole of the EU, but it seems that this went down the drain - Austria issued a set of laws that make the whole thing a toothless joke there.

We'll see how it goes, but the statement of one of the main guys behind the whole thing, that it will reduce bureaucracy is a joke already.

Sorry for the noise if what I posted isn't accurate for France.

Cheers,

Tom

[koalaboy]

We're waiting to see what impact it has on business next week - we rely on a *lot* of external traffic (we're a massive data processor) and it could well be we see a huge drop in traffic next week as everyone suddenly stops passing on things they weren't meant to be.

With half of the office on holiday due to a public holiday and school breaks, it could be both very quiet and very nerve-wracking in the office.

[Urs]

So today we got the final document with the GDPR compliant privacy statement - in German. After a lot of formatting we have that online, and we've sent it to a translator.

[BMoore]

This whole thing is quite a bit about "if and once data is breached, have a really good reason why you had it in the first place". So if data isn't essential, remove it. If you can anonymize, do so. If someone handles the data (customer support, newsletter etc.), know what they do, and restrict it to the amount of information necessary.

No. This is wrong. Data breach is a part of GDPR, but "this whole thing is quite a bit about" privacy and user rights.

At least for German companies, privacy and user rights have been in place for quite a while (1997 I think). All those parts of GDPR are a piece of cake for us. The largest part of our expenses (again, a 5-digit sum in Euros, maybe 6 if we factor the whole website into it) went into security infrastructure, and moving data from the web (where people always had it, and many still do) to closed servers behind multiple firewalls.

Also, the enormous fines in the law are tied to data breaches, which among hacking and stuff also encompass using the data for purposes other than what consent was given for.

Even more BS.
Oh well. Can't teach em all.

BS? On what? Are you an expert for German BDSG which the GDPR was largely base upon? Or do you not believe my claims that we spent so much money?

Oh wait, I think you don't have any insights in any of this.

A few example spendings on data protection, specifically on preventing possible breaches:

- new alarm system with special ceritification for the office (8000€)
- new cupboards which are lockable (2000€)
- new firewall/router system (4000€) with 10 satellites (500€ or so each) for external people because VPN-no-more
- consultants (few grand)
- external data security officer (few grand per year)
- renting a shredding ton because our small shredder won't cut it anymore (couple hundred bucks a year)

...and that is before the amount of work which went into planning and developing a new information flow & structure, including a website that is fully rendered offline, i.e. has no active server scripts. Done over months and years by people who get actual salaries.

First. Yes, I'm an expert on GDPR, the German BDSG, and the UK DPA.

Second. I don't give a rats ass about how much you've spent on this.
Althoug it might tell us that you really didn't have proper security for your users before.

And third. The fines are not tied to data breaches.
I don't know why you're so hung up on data breaches only. You might be in for a surprise later.

[Urs]

First. Yes, I'm an expert on GDPR, the German BDSG, and the UK DPA.

Cool. Our consultants would pretty much say the same.

Second. I don't give a rats ass about how much you've spent on this.
Althoug it might tell us that you really didn't have proper security for your users before.

That is correct. The GDPR has been an eye opener for me. I trust I'm not alone.

(it would be helpful if you used more precise language to say what exactly you criticise instead of just throwing swearwords - I had no way of distinguishing which argument you were making)

And third. The fines are not tied to data breaches.
I don't know why you're so hung up on data breaches only.

I'm hung up on data breaches because there's particular emphasize on them (see the emphasize on immediacy when reporting them to data protection authorities), and various consultants reckoned that the full extent of fines will happen on data breaches when companies could have prevented them.

I have never said that it is "all about data breaches", but you'll have a hard time convincing me that data breaches (including using data for purposes not given consent for) isn't a strong motivator for the law.

You might be in for a surprise later.

That a threat?

[fluffy_little_something]

Sounds like yet another crazy EU law, which costs a lot to implement and yields poor results.
As long as a company is online, privacy and safety are just an illusion. As soon as data leaves the EU, adiós data protection. In Germany even public organizations are selling citizen data to companies, and it's legal.

Do developers who outsource the whole shopping part to a third-party service provider also have to invest in all that security?

German Abmahn parasites will like that new law, though.

I remember a text on the EU-US data protection shield or whatever it is called. It is a joke.