
GDPR – A Practical Guide for Developers (2017) - FooBarWidget
https://techblog.bozho.net/gdpr-practical-guide-developers/
======
havkom
I just want to point out that a lot of the article is the authors own opinion
on how the regulation should be implemented into software and a lot of things
are probably not needed normally and would be a burden for businesses.

My own take (and the take of most European data protection lawyers I meet) is
that consent is not needed, and also possibly is inappropriate in 90% of the
cases - instead the “legal basis” called “legitimate interest” should be used
instead. This is where you do your own judgement if your data processing is
reasonable. Imagine if you yourself always had to consent to all common sense
use of your personal data, what a hassle!

If you use legitimate interest, also skip the “under 16” part, consent
checkboxes and re-request consent part of the article (Of course there is more
to it, but I would not get in to that unless you are doing data processing you
do not think the data subjects in general would approve of).

Functions that allow the users to delete and automatically download/access
their own data is good practice for legitimate interest but not needed. You
are anyway in general allowed to deal with these types of request on a case by
case basis if you provide your data subjects with an email address.

What you should do though is automatically delete data that you do not need
anymore, such as old logs, customers contact details of customers long gone,
old backups etc.

The parts of encyption, you should create an api etc are not required but may
be good practice. Just make sure you have normal OK data and data access
security.

As discussed above, you SHOULD use data for purposes that the customer has not
agreed/consented to. However, never use personal data for purposes that are
not compatible with the purposes you informed your customers of when
collecting the data (normally stated in your privacy notice on your web site).
If you did not have a privacy notice at the time of collection pre-GDPR, what
is an compatible purpose will be a judgement call from the context of
collection.

~~~
nawitus
This is the biggest problem with GDPR, there's no agreement what it means, but
it will go into effect in a few weeks.

~~~
grabeh
What makes you say that there's no agreement as to what it means?

It feels like I see this sort of view expressed quite frequently. My guess is
that it's primarily because people want a reason not to look to comply in lots
of cases, or to dismiss GDPR. "How can we comply if no one knows what it
really means to comply".

In many cases, the GDPR simply reiterates/builds upon existing data protection
law which has a wealth of interpretative decisions and guidance. In other
areas, the Article 29 Working Party has been issuing guidance on specific
aspects of GDPR.

Yes, the GDPR is a lengthy piece of legislation but there are straightforward
steps people can take and they generally centre around respecting users' data.

~~~
Silhouette
_What makes you say that there 's no agreement as to what it means? It feels
like I see this sort of view expressed quite frequently._

One fundamental problem is that the GDPR, if interpreted literally and fully
enforced to the letter, is absurdly onerous for any small organisation and
allows for fines that pose an existential threat without any requirement for
proportionality.

Defenders of the GDPR, including some of the official regulators, often argue
that concerns are exaggerated and regulators are likely to take a more
pragmatic approach, trying to educate those breaching the rules rather than
coming in with crippling fines. Maybe that will turn out to be true, but in
past instances of overly powerful or broad EU rules, there certainly have been
cases of heavy-handedness by regulators and courts, so it is illogical to rely
on another result this time.

In any case, pragmatic enforcement would not make the law itself any better.
Those responsible for working with personal data still have to err on the side
of going too far in their efforts to comply, and thus finding themselves at a
disadvantage compared to their competition who do not, or not going far
enough, and then risking a regulator dropping the sword of Damocles at any
time, with no objective standard for "far enough".

~~~
grabeh
Sure, I see where you're coming from. I guess we'll just have to wait and see
whether data protection authorities start dropping 20 million Euro fines on
people from day 1 for breaches of the law. My view and instinct is that this
won't happen. Even with the relatively low level of fines at present, in the
UK for example the Information Commissioner's Office has rarely reached the
limit.

However, can you give me specific examples of where it would be 'absurdly
onerous' to comply? I assume you're talking about restriction of processing,
data portability, rights of erasure in the main? Yes, this creates costs, but
overall these are minor matters compared to what the regulators will actually
focus on which is blatant misuse of consumer data and failure to implement
appropriate security measures.

Also, can you give me examples of heavy-handedness by regulators and courts in
relation to EU rules? The main example that could potentially fall within this
bracket relates to anti-competitive behaviour. In relation to privacy-related
matters, the revised E-Privacy Directive in relation to cookie consent was
widely ignored without any real ramifications that I'm aware of. On existing
data protection law generally, data protection authorities have been
relatively restrained in my experience, with the larger fines coming from
blatant misuse of personal data or data breaches where even basic security
protections were not in place.

What detrimental effects do you think will follow from complying with GDPR
compared to those who do not? I'm not saying there won't be any but would be
good to understand if you have any specific examples. Do you imagine that
whilst some organisations strain to comply with GDPR, others will be forging
ahead with new features and capturing market share?

Another point on competition is that on one view, because GDPR is expanding
the territorial scope this levels the playing field to an extent. Increased
fines also create a disincentive to engage in behaviour harmful to users'
privacy. I appreciate that enforcement will likely remain an issue for those
outside the EEA depending on the nature of the entity. I cannot imagine that
Google would simply avoid paying the previously levied fines, depending on how
the appeals go.

My experience is that many businesses are not falling over backwards to comply
GDPR. I certainly haven't seen businesses going 'too far' in looking to
comply. Businesses that have taken sound advice have adopted a risk-based
approach to GDPR compliance, assessing where the greatest risks are and acting
accordingly. The regulatory focus will not be on small businesses, but instead
on players like Google, Facebook and those losing vast quantities of user
data.

~~~
Silhouette
_Sure, I see where you 're coming from. I guess we'll just have to wait and
see whether data protection authorities start dropping 20 million Euro fines
on people from day 1 for breaches of the law. My view and instinct is that
this won't happen._

Of course it won't, but the unlikelihood of the extreme position doesn't make
the broader risk of an excessive or heavy-handed response any better.

 _Also, can you give me examples of heavy-handedness by regulators and courts
in relation to EU rules?_

Sure: one of my own businesses received a letter from a national tax authority
in another EU member state shortly after the new VAT rules for digital sales
came in, alleging that we had committed serious tax offences, demanding
payment of money we couldn't possibly afford by a deadline that wouldn't even
allow time for consulting lawyers or accountants, and threatening immediate
and very scary action against us if we did not comply. At first, we thought it
must be some kind of hoax, but then the terrifying reality that we really were
being threatened by a state actor with enough power to wipe our fledgling
business from existence dawned.

If you've never been on the wrong side of a government mistake, you might
suggest that our concern over that letter was overblown, paranoia even. Surely
no government would not only make such a mistake but then follow through and
cause real damage, right? Well, writing as someone who unfortunately has
previously been the victim of another serious government mistake in connection
with tax affairs, and had life turned upside down for several months trying to
sort it out with very real and very scary consequences, I can personally
assure you that concern about the consequences when the system goes wrong is
quite justified.

 _What detrimental effects do you think will follow from complying with GDPR
compared to those who do not?_

Do you mean what is the cost of compliance for those who try to comply, as
compared to just ignoring the rules? The cost is all the overhead of writing
documents and conducting audits and setting up systems you might never need,
just so that you can tick the right boxes. There are plenty of estimates
around suggesting that actually carrying out all the work suggested in black
and white on the ICO's guidance for data controllers and data processors would
take weeks and costs tens of thousands of pounds at a minimum. There are a lot
of microbusinesses, which of course are covered by this law just like anyone
else, where that represents literally their entire annual turnover and
probably a substantial proportion of the total time they have available to do
their work in a year.

 _Do you imagine that whilst some organisations strain to comply with GDPR,
others will be forging ahead with new features and capturing market share?_

I'm absolutely sure that will be the case, just as it was with things like the
new VAT or consumer protection rules before.

As a direct personal example again, that same business I mentioned before lost
weeks of developer time updating systems to comply with the EU VAT rules,
including a substantial part of one of our developers' Christmas holiday
because the rules came into effect right at the start of the year and guidance
was still being updated just days before. We later discovered that hardly any
other businesses of our size or even substantially larger were even making a
serious attempt to comply, essentially meaning that we had wasted all of that
time and money trying to do the right thing, while others including our
competitors were apparently committing tax fraud with impunity.

As another direct personal example, not only did we have to spend time and
money updating systems to comply with the new consumer protection rules for
online sales a few years back, we also saw a noticeable drop in conversions
because of the scary legal wording we are now required (and this is directly
from our lawyer) to display prominently during our checkout process, even
though in reality we had always offered significantly better conditions for
our customers than anything those consumer protection rules actually required
anyway. And of course any competitor outside the EU was free to continue with
the streamlined checkout process they had, no scary wording required.

 _My experience is that many businesses are not falling over backwards to
comply GDPR. I certainly haven 't seen businesses going 'too far' in looking
to comply._

Are you advising my business to knowingly break the law?

 _Businesses that have taken sound advice have adopted a risk-based approach
to GDPR compliance, assessing where the greatest risks are and acting
accordingly._

What did that advice cost, and what proportion of small or micro businesses do
you think have paid to receive it?

 _The regulatory focus will not be on small businesses, but instead on players
like Google, Facebook and those losing vast quantities of user data._

So they said about the VAT rules, a few weeks before a government organisation
against which my business and I had no meaningful defence threatened to
destroy a large part of my life that I and others had spent several years
building. You'll forgive me, I hope, if I don't take their word for it this
time.

------
DangerousPie
I really don't understand how this is going to work in practice for small side
projects with a single part-time developer. How are they supposed to afford
implementing all these changes, none of which seem trivial or even practical
for your standard little PHP site?

So if I run a forum as a side project, what are my options?

1) Spend all free time over the next few months adding these features and
neglect any other work on the project.

2) Ignore the GDPR and hope nobody complains.

3) Shut down the side project.

Of course if you're Facebook or Twitter you just assign a few developers to
this and you'll be fine. But I don't understand how this will not end up
killing small-time web companies, or at least make them a lot less feasible to
create.

I suspect many people will go for (2) and hope this fizzles out the same way
the cookie law did.

~~~
powvans
It looks like the maximum fine is 4% of annual revenue... seems like the
regulation has no teeth if you have no revenue. IANAL and could be totally
wrong.

To your point about small companies, I agree, it feels onerous.

What irks me about the right to be forgotten is that it directly counters my
right to remember things. Should a shop keeper be allowed to record their
observations about who enters their store each day? If they maintain a
physical guest book in their brick and mortar store, does a visitor have a
right to be erased from that book?

~~~
pbhjpbhj
Re the last question, yes, absolutely. Why would data format matter?

~~~
powvans
I don't think it matters to the principle, but rather to the practicality.
It's now practical to aggregate massive amounts of data and create a privacy
concern that's unlikely to have existed in the world of offline records.

The principle is freedom of speech. If you tell me that I cannot write down
the names of the people who came to visit me today without their permission,
you are violating my right to freedom of speech.

------
boggio
God damn it EU, all these regulations make it impossible for small companies,
indie developers to cope with all the bureaucracy.

The VAT for digital products, now the GDPR.

10 more years of regulation and you will spend 90% of the time working on
implementing legal requirements and 10% on the actual product.

~~~
lucideer
GDPR—while vastly different to what has become the defacto standard practice
in most companies—is largely simple, basic, common decency and common sense.
My very tiny startup won't have any problems complying because we've actually
given a smidgen of consideration to our users' privacy up until now.

In fact, I foresee it being a much greater tax on large corporations: the work
in GDPR is not compliance—that's relatively easy once you have procedures in
place—the real work is converting existing non-compliant systems to bring them
into compliance. This is going to be much easier for those maintaining
relatively small, simpler systems, and easiest of all for brand new startups.

~~~
crazygringo
I'd hardly say that. "Forget me" can take a lot of design work (can introduce
a _ton_ of edge cases). "Export data" requires building an entire information
processing pipeline.

Larger corporations have the resources to dedicate to this. But for a small
startup deciding between spending 4 dev-months on "forget me" and "export
data" versus on enabling the top 3 new primary use cases users are asking for,
I understand how this could feel really difficult.

I really wonder if it wouldn't be better to make some of the requirements only
for companies above a certain revenue threshold or the types of data
collected. (E.g. export data is critical for health or finance-related sites,
probably less so for a meme generator startup.)

~~~
geocar
I would. I'm doing some GDPR consulting at the moment and most of my
conversations are "I don't think it's as complicated as you do". Americans
tend to read law very pathologically unless they are familiar with how
European legislation works, and every programmer out there thinks they are an
armchair lawyer since there are "obvious" skillset similarities between
decoding software and decoding law.

"Forget me" is very simple: If someone calls you up and asks you to stop using
their data, you stop using it and remember that they've done this.

You do _not_ have to:

\- Destroy invoices

\- Delete web logs

\- Delete the record of them asking you to stop using their data

\- Reprocess all of your backups

\- Recall any reports you might have sent out

Or anything else that is silly. But your salespeople aren't allowed to see
that person's details in your CRM anymore.

"Export data" is also very simple for most companies. If you have a CRM
containing information about a person, then that person can ask for that
information.

> probably less so for a meme generator startup

What possible "personal information" do you think a meme generator startup
actually has to collect on individuals that aren't their customers?

They should have a CRM containing companies who are purchasing advertising
space on their meme generator startup, and perhaps leads that they have
obtained through various incremental marketing sources. They probably do not
have any personal information on their users, or if they do, their business
will not be impacted by simply not collecting that personal information.

But maybe I don't understand what a "meme generator startup" would do because
I'm not in their target market.

~~~
Silhouette
You keep mentioning how you're consulting on this issue at the moment and
claiming that those of us more cautious than you just don't understand how
European law works. Would you mind sharing a little more to justify that
authority -- what qualifications do you have that we don't, what sorts of
business are you consulting with and how much is compliance (including your
advice) costing them, and why is your interpretation of the GDPR reliable in
cases where a literal reading either clearly contradicts you or contains
significant ambiguity that you imply doesn't matter?

~~~
geocar
Hi Silhouette,

I'm not claiming anyone more cautious than me doesn't understand how European
law works. That's just silly.

I also don't know what qualifications I have that you don't. What
qualifications do you have?

The sorts of business I am consulting to are sales and marketing agencies
based in the US. As an SME I work with their in-house council to help them
understand what the business is doing. I also help define process designed to
make compliance obvious and transparent surrounding areas of my expertise.

I have no idea how much compliance is costing them. I don't know if they look
at it this way.

Your last "question" consists of some more straw man and a little too much
hand-waving: By all means, feel free to point to any contradiction with a
specific recital and I can try to address it. If you have another source who
claims to be an expert, I can also try to explain why I may have a different
opinion than them.

~~~
Silhouette
First of all, please let me apologise if my previous comment came across as
unnecessarily aggressive. Looking over the thread today, it could be read as
quite hostile, which wasn't my intent.

My concern here is that in this discussion (and indeed in other recent HN
discussions around the GDPR), you have on several occasions relied on your
role as a consultant to support statements that various actions weren't
necessary because of the GDPR, and to dismiss some of the potential legal
arguments/concerns that several of us have raised suggesting otherwise as if
they are some sort of legal trickery and EU courts/legal systems would not
like them.

I claim no special qualifications in this area. I'm just a guy who is running
businesses that might be affected by the new law and wants them to do the
right thing, but wants that right thing to be practical and to know that we're
on safe legal ground with it. Naturally I also talk to others in a similar
position from time to time, and occasionally with consultants or lawyers
active in the field, and so I know that many others share similar concerns and
are asking the same sorts of questions.

What I'm seeing is that most of the experts are arguing for things like a
"risk-based approach", which is the standard CYA consultant/lawyer answer to
almost anything where they can't say "We don't actually know either, but
you'll probably get away with it if you don't rock the boat". My point is that
this is not good enough. The EU and member state authorities have form, as
I've written about elsewhere, for introducing overly broad laws with
insufficient safeguards and insufficient consideration for small businesses,
and for then causing real and sometimes very serious damage to those smaller
businesses in practice afterwards.

This is why I'm arguing that the GDPR as it stands is a bad law. This is why I
want to see clear, concise, unambiguous answers from authoritative sources on
issues around backups, log/journal-based records, and the like. And this is
why I'm asking what your own qualifications are and what you know that we
don't, given that just a couple of comments up you have casually dismissed
concerns that many of us seem to have as being "silly", when those concerns
are based on reading what the GDPR actually says and the ambiguity that we're
hearing from other experts who don't seem to share your clear view of the
subject.

~~~
geocar
> [I'm just a guy that] wants that right thing to be practical and to know
> that we're on safe legal ground with it.

Then explain clearly and specifically what thing you want to do that you
believe isn't practical. Please say exactly what you want to do that you think
is reasonable but that the GDPR says isn't.

\- You don't need to destroy invoices. [1] [2]

\- You don't need to delete web logs (if you block out the bottom octet of the
IP addresses) [3]

\- You don't need to delete web logs if you're using them to prevent fraud [4]

\- You don't need to delete the record of them asking you to stop using their
data [5] [6]

\- You don't need to reprocess all of your backups [7] [8]

\- You don't have to recall any reports you might have sent out [9]

Those are everything that I labelled as silly with a link to the authority and
a supporting opinion if I think that the authority isn't clear.

If you see someone with a contrary opinion, my offer remains to try and refute
any specific example.

> What I'm seeing is that most of the experts are arguing for things like a
> "risk-based approach", which is the standard CYA consultant/lawyer answer to
> almost anything

The ICO recommends something similar, but it's not just about rocking the
boat: If you're not putting people at risk, and you're not pissing anyone off,
then you're probably not going to have trouble because an honest examination
of your processes isn't going to reveal neglect or recklessness of another
kind.

> and for then causing real and sometimes very serious damage to those smaller
> businesses in practice afterwards.

A citation would be helpful.

I suspect there's a balance: Are we harming a smaller business that was being
inappropriate? Putting people's data at risk? What exactly are we talking
about?

[1]: [https://ico.org.uk/for-organisations/guide-to-the-general-
da...](https://ico.org.uk/for-organisations/guide-to-the-general-data-
protection-regulation-gdpr/individual-rights/right-to-erasure/)

[2]: [https://www.planetverify.com/impact-of-the-eu-gdpr-on-
accoun...](https://www.planetverify.com/impact-of-the-eu-gdpr-on-accountants/)

[3]: [https://ico.org.uk/media/for-
organisations/documents/1591/pe...](https://ico.org.uk/media/for-
organisations/documents/1591/personal_information_online_cop.pdf)

[4]: [http://www.privacy-
regulation.eu/en/recital-47-GDPR.htm](http://www.privacy-
regulation.eu/en/recital-47-GDPR.htm)

[5]: [https://www.twobirds.com/~/media/pdfs/gdpr-pdfs/34--guide-
to...](https://www.twobirds.com/~/media/pdfs/gdpr-pdfs/34--guide-to-the-gdpr--
right-to-erasure-and-right-to-restriction-of-processing.pdf?la=en)

[6]: [http://www.privacy-
regulation.eu/en/recital-65-GDPR.htm](http://www.privacy-
regulation.eu/en/recital-65-GDPR.htm) (note especially you keep the data in
order to comply)

[7]: [https://community.jisc.ac.uk/blogs/regulatory-
developments/a...](https://community.jisc.ac.uk/blogs/regulatory-
developments/article/gdpr-backups-archives-and-right-erasure)

[8]: [https://ico.org.uk/media/for-
organisations/documents/1475/de...](https://ico.org.uk/media/for-
organisations/documents/1475/deleting_personal_data.pdf)

[9]: [https://ico.org.uk/for-organisations/guide-to-data-
protectio...](https://ico.org.uk/for-organisations/guide-to-data-
protection/conditions-for-processing/)

------
berkay
"I think all of the above features can be implemented in a few weeks by a
small team. " how to trust the rest of the article after reading this?

------
marten-de-vries
It's interesting to see how the GDPR seems to clash with some popular data
models. For example, git.

Rewriting history of a shared branch is disastrous, but it's currently the
only way to redact, say, an e-mail address someone committed with a couple of
years ago. I'm curious how the various code hosting sides plan to handle that.
Perhaps we'll see an extension of the data model that links commits to
committer UUIDs, with the actual information being linked to that, making
removal easier.

~~~
Neuron4ger
Apparently Git is ok by GDPR as data subjects do not have the right to erasure
if the information is meant for archiving purposes in the public interest [1].

[1] [http://eur-lex.europa.eu/legal-
content/EN/TXT/?uri=CELEX:320...](http://eur-lex.europa.eu/legal-
content/EN/TXT/?uri=CELEX:32016R0679) (Article 17)

~~~
marten-de-vries
> Paragraphs 1 and 2 shall not apply to the extent that processing is
> necessary:

> [...]

> (d) for archiving purposes in the public interest, scientific or historical
> research purposes or statistical purposes in accordance with Article 89(1)
> _in so far as the right referred to in paragraph 1 is likely to render
> impossible or seriously impair the achievement of the objectives of that
> processing_ ;

(emphasis mine)

I'd not say redacting a git repository does 'seriously impair' processing for
archiving purposes. All the data (with the exception of the redacted e-mail)
is still there, after all.

Still, the hashes will have changed, making the repo less useful for current
users. But that has nothing to do with archival.

~~~
nokcha
What if the purpose of the archiving is to not only record _what_ was changed
but also _who_ changed it?

~~~
marten-de-vries
From the GDPR, recital 45:

> [...] where processing is necessary for the performance of a task carried
> out in the public interest [...] the processing should have a basis in Union
> or Member State law.

I don't think that purpose of archiving has a basis in law.

That said, I do remember my law professor calling the 'right to be forgotten'
one of the weaker parts of the GDPR, and I'm not an expert, so it's possible
I'm missing something.

------
andygcook
Does this apply to internal software like Slack and Github provided by an
employer to an employee?

e.g. An ex-employee requests that all their identifiable data be deleted from
all communication and systems of their former employer. That seems like a
problem for institutional knowledge transfer. Will the employer have to adhere
to that request?

~~~
majewsky
How is identifiable data important for institutional knowledge transfer?

~~~
TheAceOfHearts
I can imagine scenarios where it would be important to know who worked on
something.

For example, using git blame I might learn someone was heavily involved with a
project or feature. Then I might look on our internal Wiki for old posts which
include discussions explaining why certain design decisions were made.

~~~
andygcook
Right, this is the scenario I was thinking of. Most systems that include any
type of communication nowadays require you to use a real identity. An ex-
employee that asks to have their identify obfuscated from all their work
breaks the system of record to answer questions like who worked on what, what
decisions were made by whom, etc.

------
njl
> Restrict processing – in your admin panel where there’s a list of users,
> there should be a button “restrict processing”. The user settings page
> should also have that button. When clicked (after reading the appropriate
> information), it should mark the profile as restricted. That means it should
> no longer be visible to the backoffice staff, or publicly. You can implement
> that with a simple “restricted” flag in the users table and a few if-clasues
> here and there.

The simple hubris in this statement is jaw-dropping. “Just a flag and a few if
clauses! Easy peasy!”

~~~
simonw
This article is one of the best I've seen for describing actual features that
you need to build.

I agree that the specific language here is poorly chosen ("simple" and "a few
if-clauses" are perilously close to the word "just") but I don't think that
should detract from the enormous value the article itself provides.

------
lifeisstillgood
I think the right to be forgotten is a serious flaw in what otherwise is a
major step forward in Data handling law.

Data today has been compared by Schneier to pollution in the industrial
revolution. The GDPR is probably the first anti-pollution law with real bite
and with a real grasp of just how far this all goes (the extra-territoriality
etc)

This does not make this perfect solution. I honestly don't think that "being
forgotten" actually makes sense as a right - it seems to have sprung from some
unusual case law in ECJ and could much more easily be dealt with by a "do not
further process".

But we genuinely can always find ways to implement new laws - the most obvious
is to encrypt user data, and then lose the key, but beyond that i think the
_best_ outcome of all this is to _stop moving data around so much_. moving
data from system to system is a smell in my view - and one that a eu law is
going to help architects the world over realise they are doing wrong

~~~
deltron3030
Like pollution laws, it's nonsense if not enforced worldwide. The web can't be
contained to a specific locality anymore, it's against the core idea of the
technology. The people in the EU who are responsible for this have no clue
about the technology.

~~~
lifeisstillgood
The GDPR specifically states that any processing of EU citizens personal /
private data

essentially two huge things come out of GDPR - personal data about a EU
citizen _belongs_ to that citizen, and if you process data about an EU citizen
even if you are out of the EU, you are covered by this law (extra-
territoriality)

These are huge forward thinking political steps. they do get this stuff. I
just think the deletion part is a mis-step

~~~
deltron3030
It just sounds good, but in a more or less open world, small businesses
selling digital products will just block EU access, even if they're physically
located in the EU. Opening a company in the US is easy.

------
goblin89
I’ve been reading the EU’s General Data Protection Regulation, and it seems to
contain certain loopholes that may be exploited by less than honest agents.
The sad possibility is that the mere existence of such loopholes can push an
otherwise law-obedient small companies towards mostly-ignoring GDPR in order
to remain competitive.

For example, there’s this huge “if” concerning personal data removal,
reiterated in multiple sections of GDPR. Quoting the very first section about
data processing principles[0], personal data _can_ be stored even after you’ve
achieved the initial explicitly stated purpose, as long as it:

> _will be processed solely for archiving purposes in the public interest,
> scientific or historical research purposes or statistical purposes in
> accordance with Article 89(1) subject to implementation of the appropriate
> technical and organisational measures required by this Regulation in order
> to safeguard the rights and freedoms of the data subject (‘storage
> limitation’)_

How wide is the range of activities that can be reasonably claimed to be for
scientific or statistical purposes, or for safeguarding the rights and
freedoms of your user? How strictly would this be enforced in cases where
scientific and statistical purposes are closely intertwined with commercial
interests, as it often happens?

Meanwhile, the referenced Article 89(1)[1] doesn’t seem to take a hard stance
except for requiring “data minimization”. Even pseudonymisation is explicitly
optional, as long as you’ll have a convincing argument that pseudonymising the
PII you’ve collected prevents you from fulfilling your “statistical purposes”.

I’m not a lawyer and I’m wondering if someone with more expertise can weigh in
on this.

[0] [https://gdpr-info.eu/art-5-gdpr/](https://gdpr-info.eu/art-5-gdpr/)

[1] [https://gdpr-info.eu/art-89-gdpr/](https://gdpr-info.eu/art-89-gdpr/)

~~~
grabeh
Any exceptions to the regulation will inevitably be subject to a narrow
interpretation particularly if it is clear that someone is looking to do
something which is outside the spirit of the regulation.

------
elnygren
GDPR and Kappa/event sourcing/message queue based/you name it architecture
goes together nicely as you get audit logs of everything and it should be
quite doable to propagate "delete this person's data" events around the place.

It's a huge hassle compared to what many companies are doing with customer
data now but I think it's for the best.

Most things about GDPR go like "Does it feel a bit shady? It probably is.
Don't do that." (depending on your moral compass of course)

One thing is for sure: there's a lot of opportunities for consultants as all
the big companies need help to resolve the mess of legacy systems storing
customer data.

~~~
espadrine
I didn't realize it until reading this post, but certain _very popular_
technologies break GDPR in a deep way.

Bitcoin, for instance, contains a wealth of personal information, which by
design are both public, persisted forever, and immutable.

Are blockchain products all going to need a full rewrite or a complicated hard
fork?

What about the Wayback Machine? Will they need to have an endpoint that every
company will need to call for every “right to be forgotten” request worldwide?

~~~
pbhjpbhj
What personal information does bitcoin contain?

~~~
espadrine
All payment orders and credit transfers to and from all accounts.

For any Bitcoin address you find on the Web.

~~~
pbhjpbhj
How is that personal, how is it connected to a person?

~~~
espadrine
On the off-chance that you are not asking this in bad faith…

All speculators go through a KYC with their exchange, which identifies them
very precisely.

All other users paste it publicly, saying “I own this account! Send me money.”
And even those users often have to convert it back to fiat, which requires an
exchange, which makes them go through a KYC.

~~~
pbhjpbhj
Ah, right, Bitcoin _exchanges_ in USA, and elsewhere, harbour personal
identifiable information. Bitcoin doesn't impose it, but it's a practical
requirement in some jurisdictions.

(KYC = know your customers)

------
hanoz
As a freelance developer I'm quite sure that if I were to force my clients to
comply with as strict an interpretation of GDPR as this, I would pretty
shortly find myself replaced by a freelance developer with a more relaxed
attitude to GDPR compliance.

~~~
sb8244
This is probably true. If I were in this situation, I would probably only make
suggestions and not force compliance.

------
nawitus
> I think all of the above features can be implemented in a few weeks by a
> small team.

That's.. optimistic in the enterprise world.

------
zavi
Practical guide to developers - build your product in the US then expand to
Indo-Pacific. Don't bother with rolling out to Europe. AI is the future of
business & healthcare, which, due to inherent need for data, is incompatible
with anti-data sharing laws such as GDPR. Population is rapidly aging in
Europe (47.1 year old average in Germany, 42.9 in EU), so might as well set
your business up for the long term by pivoting to the region where growth will
take place (and where general population is more acceptive of emerging
technologies that rely on easy access to data).

~~~
scrollaway
This is the worst advice in this thread. Not only do you lose the European
market for no good reason and on logic you might hear from moon landing
conspiracy theorists, but you don't even solve your issue as you will still
have European users no matter what. People do travel.

~~~
zavi
If you don't have physical assets in Europe which can be seized then whether
or not traveling Europeans decide to use your service is irrelevant. GDPR is
not going to force you to take down your service in the US or India. It's kind
of like a Saudi visiting California and requesting that local gay people be
stoned as per the law of their land - not going to happen.

------
YetAnotherNick
What about things explicitly designed in a way that there is no option to be
forgotten. What about commits in version control sites? What about mailing
lists?

From skimming over the spec, it seems that politicians haven't thought about
any other sites than social networks or some other profit making sites. Even
in that case, if some ML system is trained on the data of the customer, do
they have to re-train after anyone invokes right to be forgotten.

~~~
smarx007
Well, if you model can tell guess my name from 100 browser history entries,
then yes, I want the law to require you to retrain your model once I invoke
that right.

An interesting matter is a use of blockchain-like scheme. I guess the law
would mean you can't put GDPR protected information in a public distributed
blockchain, but instead use identifiers to decouple GDPR info from that ID.
And the invocation of that right to be forgotten would require us to
permanently delete an entry linking that identifier to a user.

------
muchbetterguy
One of the clearest things I’ve read on The subject.

It is a lot of common sense. Questions over the right to be forgotten vs tax /
legal issues come under the “legitimate interest” clause I think. You should
delete their data except where you are required to keep it. And that may mean
deleting preferences and browsing history, but not their name and address if
you are required to keep it.

I intend to implement a “forget me” feature by anonymising any PID and
potentially redacting things like messages between users on our system. That
way we keep info for stats purposes but don’t have any way to id a person from
the data we hold.

The restoring backups / storing preferences about deletion request etc in a
separate DB solution is also a good idea. It shows willing to comply with the
regulation as well even if it may not strictly be compliant (e.g. until the
backup has synced up with the preferences DB, you still have the PID) I think
so long as you show a lot of willing and progress towards being compliant and
take all practical and reasonable steps to do so, then it shouldn’t be too
much of a burden.

------
5_minutes
This is basically developed to protect users from big abusive companies such
as Facebook, Google, Twitter and big marketing agencies.

But it really is overkill for the local restaurant that wants to mail their
customers.

Using a bazooka to kill some flies.

~~~
cinquemb
It's worse than that, because GDPR in of itself, will not technically stop
useds from inadvertently blasting data to any service

Decentralized services that EU citizens use will be even less in compliance as
data is shared and copied between nodes by default. Sure block a few servers
by spending more resources to find/go through the legal moves than it will
take for a dozen more to pop up… see torrent sites/software and how people are
monetizing such, because that will be the future… laws like GDPR only make
such even more attractive.

And lets just set aside that nation state actors that are routinely
compromised will still collect this data that will leak on to the internet…
lol

These laws are analogous to those that were against the printing press…
fighting the tide of reality where it's easier to do nothing than to contort
something to fit a luddites dream of personal privacy provided by the state
mandates (on top of building a functional product), without having to do
anything oneself to protect ones interest, in the age of deep packet
inspection, 0day-exploit-exfil-as-a-service, and metadata drone strikes.

Would be more effective to just make it law that users have to plug a black
box onto their devices/networks so it can just filter non GDPR colored bytes
lol

------
damontal
What about Wikipedia? User accounts are linked with article edits/history. So
if you delete the user how do you handle their edits?

~~~
marksomnian
Suppression[0] or similar tech. Delete the username associated with the edit,
while keeping the diff around.

[0]:
[https://en.wikipedia.org/wiki/Wikipedia:Oversight](https://en.wikipedia.org/wiki/Wikipedia:Oversight)

------
nihonde
This strikes me as all very pie-in-the-sky. I understand the law, and the
policies that it serves, but the article assumes that a company has a single,
centralized data source that you can just put some hand-waving “if then
statements” around to limit access, and that supports perfect cascading of
data from the user down so we can just implement a few checkboxes to
configure, etc. It sounds like good stuff, but that’s not how things work in
the real world, where half your users trade Excel output, and can’t be
bothered to log their interactions with third parties. I’m not saying that
they shouldn’t do it, but they won’t.

------
tobr
I wonder how to deal with data that is accidentally identifiable. For example,
imagine that you are running an anonymous poll or survey. In the general case
that would not identify an individual person, but in some circumstances a
particular collected answer will be unique and could theoretically be
connected to an individual.

In such cases it's not really possible to give individuals control over their
data, because except for the special case the whole point is that it's _not_
connected to an individual...

------
antaviana
For example, imagine you only collect an email at sign up (no name, no
country) and you state in your EULA that you might use the email to send
onboarding information or commercial communications (promotions, newsletter)
that can be opted out.

If you do not have any means to know the country where the owner of the email
is located, how do you ensure the right of non-EU citizens to receive the
commercial communications they have agreed to receive in your EULA unless they
opt out later?

If you do not collect your user country for privacy reasons (I would be wary
to sign up for a trial of a service who wants to know my citizenship), how can
you prevent EU citizens from using your product?

------
tajen
What happens if your service lets users manage their own customers’ data? I
mean, for a product such as Airtables, FieldBookApp, Sharepoint Forms or,
simply, Google Forms: Are we, cloud app providers, supposed to ensure our
users don’t put PII data in the spreadsheets, and if they do, are we supposed
to manage their users’ consent and process _their_ users’ requests for edition
and deletion? At the extreme, what should Heroku do for the Postgres darabases
they provide to their customers ?

I could only find GDPR blogs about apps facing the final users, but they
generally don’t talk about compliance for B2B apps.

~~~
Sylos
In that case, your customer is the "controller" and you're the "data
processor". The whole GDPR is written with such B2B relationships in mind.

Chapter 4 is specifically all about that. Article 28 specifies the situation
for the data processor: [https://gdpr-info.eu/art-28-gdpr/](https://gdpr-
info.eu/art-28-gdpr/)

And well, basically your customer has to tell you all of these things in the
contract. (Article 28 Section 3)

Furthermore, if you yourself want to pass that data on to another data
processor, you have to notify the controller of that and tell that data
processor those things that the controller specified in the contract, too.

It's also in the responsibility of the controller to select data processors
that implement "appropriate technical and organisational measures".

That's a term that you should also find plenty of literature and discussions
on. The GDPR specifies somewhat in its recitals: [https://gdpr-
info.eu/recitals/no-78/](https://gdpr-info.eu/recitals/no-78/)

And you might also want to get certified that you are GDPR-compliant, just to
make it trivial for customers to see that you can implement those appropriate
organizational and technical measures.

------
skybrian
It seems likely this will lead to increased centralization and/or
standardization as many website owners decide it is too complicated and risky
to write custom software managing their own user accounts.

This might be similar to how merchants often sell through larger websites like
Amazon, or mobile developers sell through app stores.

Or, much like many startups begin with Bootstrap for their CSS and Django
provides a built-in admin user interface, perhaps there will be open source
skeleton web apps that have all the data models and UI needed for GDPR?

It sounds like there will be lots of business opportunities here.

------
GordonS
> Age checks – you should ask for the user’s age, and if the user is a child
> (below 16), you should ask for parent permission

Please tell me this is only required when age is relevant, such as for sale of
alcohol and tobacco?

Otherwise, surely _most_ data holders don't need a customer's age, and this
would be forcing them to collect _more_ personal information!

And personally, as a consumer, I don't _want_ to provide information that
isn't relevant, so I'm more likely to use a competitor that doesn't ask for
such needless PI.

~~~
havkom
If you use “consent” as your “legal basis” and you are asking for consent that
is related to the offering of services over the internet (such as a web shop,
a social media web site, discussion forum, ...), you need to somehow verify
age (16 years normally) or be very clear that under 18 years olds (“children”)
are not to access your service (and not have evidence pointing to that this is
undermined)

Note that the 16 years old rule applies to “consent” only. As I stated in a
separate comment “consent” is often not the way to do things. I, and many EU
data protection lawyers I have met, believe consent to be a “last resort”
legal basis of processing personal data. Instead, the legal basis called
“legitimate interest” should normally be used where you as a company decides
what is resonable, you think is needed to achieve the purposes you are
processing data for, and, what the data subject would reasonable expect.

There is no under 16 age limit or age verification requirement in general for
“legitimate interest”

~~~
GordonS
In my own case, we only need customer PI as contacts for billing and support,
so from what I've read, that doesn't need consent.

Thinking about it, I suppose it does make sense to ask users if they are over
16 if you are going to be processing data in a way that _does_ require
consent, just so you know that they can legally give that consent.

~~~
havkom
I believe this is true. In my country (Sweden) it appears like consent outside
of offering internet services may require the data subject to be 18, not 13
(Sweden has made a local adjustment to 13 years of the 16-years old rule
referred to). So this rule may actually be a relief of who can consent to
what.

------
GordonS
What about cookies?

I noticed .NET Core 2.1 is adding a cookie bar, saying its for GDPR compliance
- but I didn't see anything about cookies in the article?

------
nynno
We've created an open-source client SDK as a starter kit for making apps
compliant with EU GDPR:
[https://github.com/gdprhq/GdprHq.Io.ClientSdk](https://github.com/gdprhq/GdprHq.Io.ClientSdk)

Anyone interested in beta testing/integration?

------
wtfstatists
Lets say I have a bookmark file which contain list of urls. It is associated
with one user account. Its likely associated with one person but I cannot
identify that person. There is no other information associated with the user
account. Is the bookmark file personal data ?

~~~
majewsky
In general, it's probably even _sensitive_ personal data. A list of URLs can
potentially identify a person's religious beliefs, sexual orientation,
political views etc.

~~~
wtfstatists
> _A list of URLs can potentially identify a person 's religious beliefs,
> sexual orientation, political views etc._

But can he be identified ? I believe if its too difficult to identify using
even "religious beliefs, sexual orientation, political views etc" then its not
personal data. Though I cant seem to find link to the page where I read it.

On similar note, even IP _alone_ appears to be non personal data if since it
cannot identify a person [1].

From Case 582/14 – Patrick Breyer v Germany [2]

 _On appeal, the Regional Court of Berlin (the "Kammergericht") ruled that IP
addresses in the hands of website operators could qualify as personal data if
the relevant individual provides additional details to the website operator
(e.g., name, email address, etc.) in the course of using the website._

Lol even German Govt cant seem to figure out its own laws. They should have
gone to one of those consultants.

[1] [https://www.gdpreu.org/the-regulation/key-
concepts/personal-...](https://www.gdpreu.org/the-regulation/key-
concepts/personal-data/)

[2] [https://www.whitecase.com/publications/alert/court-
confirms-...](https://www.whitecase.com/publications/alert/court-confirms-ip-
addresses-are-personal-data-some-cases)

------
nomercy400
Few questions:

"Forget me" \- What is personal information? Say I have a table with user_id
and username, and an order table with user_id, order_id and other other stuff.
If the user request a 'forget me', what do I delete? Blank the username?
Delete the user_id row? Delete all orders belonging to the user (how would I
report these gaps to tax agencies)? Delete the user from my trained ML model
(is that even possible?).

"Consent checkboxes" \- To what extent can users be forced to give consent or
be denied from a service? Like the Cookie law, almost every website requires
you to accept the fact that cookies are used, otherwise your experience is
degraded (eg. you cannot watch news videos). Or say I want to order something
from a webshop, and in order to place an order, I must consent with sharing my
personal information with third parties for marketing purposes, else I cannot
place the order. Do I have to call them out later? How is this law going to
solve things if it prevents me from using things?

"Export data" / "See all my data" \- What is 'all my data' here? Is in
information I entered when I signed up for a service? Is it information
derived from this data (eg. my google search suggestions/ads profile)?

"Don’t assume 3rd parties are compliant" \- if I, the data collector, gets
fined because a 3rd party, data processor, is not compliant, can I retrieve
part of the losses from the data processor? I mean, OpenID allows sharing a
lot of personal information from data collectors like Facebook and Google with
almost any random site. What can I expect here?

"Consent checkboxes – “I accept the terms and conditions” would no longer be
sufficient to claim that the user has given their consent for processing their
data." \- So if I, as a user, don't give any explicit consent to any personal
information sharing, and in May I receive a marketing email from a party I
don't have an account with (because they sold my personal information prior to
this), I could say they broke the GDPR law?

"Keeping data for no longer than necessary" \- My tax agency requires me to
keep records of orders/sales/invoices up to 5 years ago. If a user requests
deleting their personal information within that time period, what should I do?

"Forget me" \- Say an employee leaves a company, and they request their
personal information to be deleted. What information do I have to delete?
Their Active Directory account? Their salary statements (I need those for tax
agencies)? Their name in the git history? Their name from all minutes of all
meetings they attended? Their name from documentation they wrote?

Some things might be doable to implement in just 8 weeks, if I had clear
guidelines on how to do this, but as of now, I have so many situations where
it is unclear what I should do, and no clear way to get answers, that I don't
know how I can comply with this law within 8 weeks, as a small software
company.

~~~
gls2ro
I will try to answer some of your questions based on my findings for far as I
am in the process of modifying 3 webapps to be GDPR compliant and I am also
starting a side project.

IANAL and please take this as a starting point. I am not sure that what I
understood is correct, but I read the GDPR and this is what I will implement.

> What is personal information

The definition for this is here [0].

What I am doing is I am creating some docs where I write very clearly what
information I use and for what.

For existing projects I am looking in schema.db and models and extract from
there. For the new one (which will be in Rails) I am thinking to make a gem
like annotate or something for this specific purpose.

Also I am documenting the information that is in logs and I will treat most of
the information the same way I am treating passwords. So far I am looking for
SQL statements, params and custom logging messages.

> Say I have a table with user_id and username, and an order table with
> user_id, order_id and other other stuff. If the user request a 'forget me',
> what do I delete

Nothing so far if the user_id and username are not related in any ways to
anything that can identify a person.

> To what extent can users be forced to give consent or be denied from a
> service?

Here is the phrasing from the GDPR [1]: “the request for consent shall be
presented in a manner which is clearly distinguishable from the other matters,
in an intelligible and easily accessible form, using clear and plain
language.” So in my opinion this is very different that the Cookie Law as you
must make sure the subject understands for what the consent has been given.
You should also take a look at Recital 42 and 43 in the beginning of the GDPR
where they talk about “consent freely given” and they describe also an
imbalance relation between the controller and the user.

> "Export data" / "See all my data" \- What is 'all my data'

This is part of Article 15 and I think the situation you are describing is
defined by item (3) of that Article. You should correlate it with the
definition of personal data. This means that you should provide data you took
from the personal data subject but also the personal data you got from
anywhere else that is connected to the data subject - see “personal data are
collected from the data subject” and “personal data have not been obtained
from the data subject” as it is described in the titles of Article 14 and
Article 15.

> “I accept the terms and conditions” would no longer be sufficient to claim
> that the user has given their consent for processing their data."

Consent cannot be included in the Terms and Conditions. Due to the Recital 42
in the beginning “consent should not be regarded as freely given if the data
subject has no genuine or free choice or is unable to refuse or withdraw
consent without detriment” and also “safeguards should ensure that the data
subject is aware of the fact that and the extent to which consent is given”

> My tax agency requires me to keep records of orders/sales/invoices up to 5
> years ago. If a user requests deleting their personal information within
> that time period, what should I do?

You keep them. Article 17, item (3) states that “shall not apply to the extent
that processing is necessary” and you should take a look at letter (b) “for
compliance with a legal obligation which requires processing by Union or
Member State law to which the controller is subject”

> "Forget me" \- Say an employee leaves a company, and they request their
> personal information to be deleted.

You I think you should delete everything that is not a subject of the law and
that it cannot be used “for the establishment, exercise or defence of legal
claims”.

Regarding Git or commits for me it is clear that they will not be deleted as
there are part of “the purposes for which they were collected or otherwise
processed”. If they are part of a project which is part of a legal contract
with some users or beneficiary then also it is ok not to delete the GIT
commits because you need the info “for the exercise or defence of legal
claims” in case anyone will ask in a court who did that feature and when.

To be 100% sure one way will be to anonymise Git user (did not try that so
far) by changing the username to something generated like “user0000113” and
email associated with that account.

[0] - [http://eur-lex.europa.eu/legal-
content/EN/TXT/HTML/?uri=CELE...](http://eur-lex.europa.eu/legal-
content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN) \- Article 4, item (1)

[1] - [http://eur-lex.europa.eu/legal-
content/EN/TXT/HTML/?uri=CELE...](http://eur-lex.europa.eu/legal-
content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN) \- Artile 7, item (2)

edit: formatting

~~~
nomercy400
Thank you for the long answer. It clarifies some issues. I wish the EU would
put a 'brochure' along with the official law, containing explanations,
examples etc. Our government and official bodies provides these for many of
our nation's contracts or official documents (not the law, but rather housing
contracts). Some follow-up comments:

>> Say I have a table with user_id and username, and an order table with
user_id, order_id and other other stuff. If the user request a 'forget me',
what do I delete

> Nothing so far if the user_id and username are not related in any ways to
> anything that can identify a person

How do I handle this situation when users get to choose their own username? If
a user uses their own natural name as a username, then it's identifyable
information and I'd have to remove it (then again I'd remove or anonymize it
anyway).

>> To what extent can users be forced to give consent or be denied from a
service?

> Here is the phrasing from the GDPR [1]: “the request for consent shall be
> presented in a manner which is clearly distinguishable from the other
> matters, in an intelligible and easily accessible form, using clear and
> plain language.” So in my opinion this is very different that the Cookie Law
> as you must make sure the subject understands for what the consent has been
> given. You should also take a look at Recital 42 and 43 in the beginning of
> the GDPR where they talk about “consent freely given” and they describe also
> an imbalance relation between the controller and the user.

It also describes that "(red. consent) should not contain unfair terms.".
Would forced consent for using information for third party marketing purposes
during an order check-out be 'unfair terms'? I guess "Consent should not be
regarded as freely given if the data subject has no genuine or free choice"
would say it doesn't. It would be nice if such situations/examples with a
(legal) answer would be searchable somewhere.

Would you be allowed to get consent for an all-encompassing 'third party
marketing purposes'? Sounds like that is the thing this law is meant to avoid.

> "for the establishment, exercise or defence of legal claims"

That's a very broad statement. So many loopholes possible there. Just
introduce one law in a foreign, non-EU country that requires you to keep all
personal information for 'assisting in criminal investigations', and you get
to keep whatever you want.

------
Rovanion
Is it just for me the _advisor to the deputy prime minister of a EU country_
does not work?

------
GordonS
Does the GDPR state that all this needs to be automated?

Given how infrequently a small business will get requests to delete, restrict
or export data, is it allowed to just do it manually when requested by email?

~~~
kazen44
The GDPR does not state that it needs to be automated. I assume SME's will
also not automate this unless they get a lot of request. Basically all
features that are required by the GDPR are already in most common SME
software.

~~~
GordonS
In that case, the GDPR actually sounds quite positive - I believe users
_should_ be able to request that their data is deleted, and be told in advance
if it's going to be used for anything non-obvious (e.g. training an ML model).

------
marcrosoft
> In this particular case, it applies to companies that are not registered in
> Europe, but are having European customers.

Umm, nope. The EU doesn't have any authority to enforce companies outside of
the EU to do anything.

~~~
joris
That’s not true. You’re within their scope if you process and/or target EU
citizens.

It might of course be difficult to execute the judgment but they can still sue
you in the EU. In the US that happens also, for example when some stakeholder
sues a foreign website that infringes on their rights. If the sued entity
doesn’t show up in court, they just issue a default judgment (meaning the
plaintiff wins by default). You can even sue a John Doe in court (at least in
the US).

In practice, the EU is also resource constrained like any other government
entity, so you probably won’t have much to fear. I mean they’re not going to
sue millions of companies all over the world, it just means they have created
themselves a new stick that they can choose to use.

I hear that they’ll likely first go after entities that have a big impact on
the public (i.e., the most blatant cases).

