
GDPR guide for developers - homarp
https://www.cnil.fr/en/cnil-publishes-gdpr-guide-developers
======
BeniBoy
I think the "Prepare for the exercise of people’s rights" part is critical.

If you are a software architect, you need to ask yourself: can I delete a
single user data across all my infra easily? If not, you might be in trouble a
couple a year later when you are hit with thousands of deletion request and
technically can't honor them.

Another side of tech debt I guess!

~~~
abraae
One thing about GDPR that I've never heard answered convincingly - when a user
requests deletion of all of their personal data, does that include also any
history of the deletion request itself?

~~~
keerthiko
The focus of the spirit of GDPR is PII at its core. Communications with the
user such as email exchanges, transaction records, etc are fine to preserve as
long as all PII have been scrubbed and are dissociated from the user.

~~~
M2Ys4U
Not "PII", personal data.

PII is a US legal term and means precisely nothing in the context of the GDPR.

~~~
abraae
If you remove PII, then whatever you are left with is no longer personal data.

~~~
valesco
No, the GDPR's definition is broader and has been in use in EU privacy
regulations for a decade prior. It's every piece of information that can be
linked to an individual, even indirectly.

~~~
abraae
Exactly - when you remove all PII, you are left only with data that cannot be
linked to the individual, even indirectly.

------
slx26
Hope it's not off-topic: what I still don't understand is how with regulations
like this an OS like Windows can get away with the things it does. I mean,
maybe there's some legal reason, but my common sense can't process it.

~~~
cryptica
This is because the real purpose of GDPR is to prevent small startups with few
financial resources and no legal team from being able to compete with big
corporations with limitless financial resources and top legal teams.

This is part of a broader strategy by corporations to create an economic
environment which smothers startups before they can even get started. Saves
them acquisition costs later.

When when politicians get out of office, they have a nice highly paid
corporate job waiting for them.

As governments keep introducing more regulations, eventually everyone in the
world will be breaking some kind of law whenever they do anything at all. That
will allow governments to selectively imprison anyone who is working against
the personal interests of the political and financial elite.

~~~
CamouflagedKiwi
This seems like a great case for Hanlon's razor ("Never attribute to malice
that which is adequately explained by stupidity"). Rather than a huge high-
level conspiracy between corporations and government, it seems much more
likely that the people drafting the law just didn't realise (or didn't care)
how much impact it would have on small companies.

~~~
Mirioron
I think it's likely that some EU politicians saw how bad the data retention
act was and how it'll only be getting worse. They decided to do something
about it, but when it got time to put down the details companies got involved
and the end result helps those companies without most of the politicians
noticing. I'm sure a decade from now they'll be confused about how the EU is
still lagging behind in tech.

This isn't the first time the EU has done something that screws small
businesses. VAT on digital goods was another case (there was no minimum
threshold). At some point it'll start to seem intentional.

~~~
vertex-four
Define "tech". I'm working on a tech company which does something novel and
important and have no issue complying with the GDPR - I'm aware of what data
I'm processing, and what third parties I'm integrating with. I don't store or
process data in ways that aren't necessary for the use of my software. I make
a copy of data that I need to keep for legal/liability audit purposes into a
separate system, where there's a cron job which deletes it after it's
unnecessary. Deleting a user's data is as simple as DELETE FROM users WHERE id
= ?, and I'm happy to do that because it means one fewer user's data which
might be accessed in a security breach. I don't need a GDPR consent dialog or
a cookie popup, because I don't do anything which needs either of these - I
don't have any cookies aside from a login cookie, and I don't process data in
unnecessary ways. I have a document which specifies what data I store and what
I use it for, from which I can derive a privacy policy.

So... define "tech". If you mean "adtech", say that.

~~~
Mirioron
So what do you do when you need to fix a bug and need logs and other
information from users? How do you track all of that data on developer
machines? How does your system delete data from all backups? Do you have an
automated system a use can request all their data from? How do you validate
that they are who they say they are? How sure are you that all your processes
are legally enough? How much did all of this cost?

I do mean tech. An industry tends to breed more of the industry. Adtech is
part of tech and a lot of online businesses rely on ads. If you remove that
you also remove a large chunk of people that would work on this type of tech.
Then some of them instead end up working for some US company. Europe has a
much larger population than the US. Europe is largely as educated as the US.
Where's our Microsoft, Apple, Google, Amazon, Samsung, Sony etc? We have SAP
and that's it.

Edit: I like the idea of GDPR, but I cannot stand how people think it has no
cost. A large portion of the internet relies on the ad industry.

~~~
vertex-four
To answer your edit - advertising does not imply individual user tracking
without consent. There was and continues to be advertising without individual
user tracking. There are also _plenty_ of businesses that are able to start up
without relying on advertising for income at all.

There's a cost to _not_ having the GDPR - that of our individual privacy.

------
luch
The Sheet #16 about cookies and third-party trackers is quite interesting:

    
    
        ## To benefit from the exemption from consent
        
        **Subject to a number of conditions**, cookies used for audience measurement are exempt from consent.
        **These conditions, as specified in the [guidelines on cookies and other trackers](https://www.cnil.fr/en/cookies-and-other-tracking-devices-cnil-publishes-new-guidelines), are**:
            * To inform users of their use;
            * To give them the ability to object to their use;
            * To limit to the following purposes only:
                * audience measurement;
                * A/B testing;
            * Not to cross-check the data processed with other processing (customer files, statistics on visits to other sites, etc.);
            * To limit the scope of the tracer to a single site or application editor;
            * To truncate the last byte of the IP address;
            * To limit the lifetime of the trackers to 13 months.
        
        Provided that the conditions are met, **we therefore switch from an opt-in to an opt-out regime**.
        It is also possible for the same third party (subcontractor) to provide a comparative audience measurement service to multiple publishers, provided that **the data is collected, processed and stored independently for each publisher and that the trackers are independent of each other**.
        
        ## In practice
        
        **Most large audience measurement offerings do not fall within the scope of the exemption, regardless of their configuration**.
    
    

That's what I though, when websites welcomes you with a giant popup "Manage
your consent" with a gazillion third-party trackers all opt-in (and you need
to disable them one by one) they are actually not GDPR-compliant.

~~~
Semaphor
Yeah, barely anything is compliant. Though I’ve recently encountered a bunch
of sites that are, so maybe things are slowly changing.

~~~
alkonaut
What is the largest GDPR fine yet for a violation specifically about website
consents?

I have seen some large fines but all seem to be of "backend" violations. It
would be nice if there could be a handful of large high profile sites given a
huge fine for having one of those annoying popups with everything opted in.

There seems to be companies _selling_ blatantly noncompliant GDPR popup tech
too. That has got to be the most snake oil thing ever.

~~~
sgift
> What is the largest GDPR fine yet for a violation specifically about website
> consents?

200 million for British Airways according to
[https://www.enforcementtracker.com/](https://www.enforcementtracker.com/)

~~~
Semaphor
Different type than what OP asked for.

> The ICO’s investigation has found that a variety of information was
> compromised by poor security arrangements at the company, including log in,
> payment card, and travel booking details as well name and address
> information.

~~~
sgift
My bad, misread the reason. I looked for cookie and it seems to be 30k then to
Vueling airlines:

> (...) for not giving users the ability to refuse their cookies and force
> them to use them if they want to browse its website. In other words, it was
> not possible to browse the Vueling page without accepting their cookies.

~~~
Semaphor
Nice find. There are 3 others related to cookies, seems only Spain is going
after them so far and only after the violators who don’t even pretend to be
compliant. I think some of those were already violating the GDPR’s
predecessor.

------
underdeserver
Skimming, looks like a lot of these are generally good ideas regardless of
GDPR. For instance:

"Assess the value of adding each dependency. Some commonly used software
bricks are only a few lines long. However, each added element is an increase
in your system’s attack surface. In the case where a single library offers
several functionalities, integrate only the functionalities you actually need.
By activating the minimum number of functionalities, you reduce the number of
potential bugs that could occur."

The context is that an external library can mishandle personal info, but this
is true even if you didn't care at all about security and privacy.

------
akerro
There are also these things quality I bookmarked:

[https://gdpr.algolia.com/](https://gdpr.algolia.com/)

[https://gdpr.eu/](https://gdpr.eu/)

[https://techblog.bozho.net/gdpr-practical-guide-
developers/](https://techblog.bozho.net/gdpr-practical-guide-developers/)

------
fbn79
100% of our customers would not accept the costs of strictly follow this
requirements. They are for sure good advice, but not much practical into
everyday web dev life.

~~~
skrebbel
This site was made by an agency that sells privacy and compliance services. It
is in their direct interest to sell the GDPR as an extremely complex problem
that you need their help with solving.

Laws are generally complex, GDPR isn't really special in that sense; it's just
newer than the rest. You can probably draft a similarly complex 16-page
document for your country's/state's employment laws too, but that doesn't mean
you need to work through all of that mess when hiring your startup's first
five employees.

In reality, if you honor user data deletion requests, don't track people
without asking (with easy "no"), and follow proper modern security practices,
you're already _so_ far ahead of the majority of tech businesses wrt the GDPR
that you're good. Or at least, that's my impression.

~~~
homarp
cnil is
[https://en.m.wikipedia.org/wiki/Commission_nationale_de_l%27...](https://en.m.wikipedia.org/wiki/Commission_nationale_de_l%27informatique_et_des_libert%C3%A9s)

its name in french means 'National Commission on Informatics and Liberty', it
is an independent French administrative regulatory body whose mission is to
ensure that data privacy law is applied to the collection, storage, and use of
personal data. Created in 1978. National data protection authority for France.

~~~
skrebbel
Thanks! I was wrong about that one.

------
thrwawayn
HN is not GDPR compliant. There's no way to get your account deleted. There
are only anecdotal stories of someone getting it done via email and those are
countered by claims of others of no success.

~~~
anoncake
Does HN specifically cater to EU residents in any way?

~~~
utdiscant
Does that matter? As long as you collect data from EU residents, such as an
email, then you have to comply. That is at least how I understood it, is that
not the case?

~~~
anoncake
It does, see recital 23: [https://gdpr-info.eu/recitals/no-23/](https://gdpr-
info.eu/recitals/no-23/)

~~~
tpxl
YCombinator does business in Europe, so yes, they do cater to EU residents.

~~~
anoncake
That might not mean that all its activities fall under the GDPR though.

------
pamperson
GDPR is a massive inconvenience. in theory it sounds good, in practice you
just have to click an annoying number of accept buttons. there should have
been more debate around this set of rules not just a diktat top down that is
disconnected from reality.

~~~
sveme
You misunderstand policy making. A lawmaker is not (and should not be)
interested in providing a way of how to _implement_ things, but how things
_should be_ , they are only providing the normative side. The executive and
judicative branch of the state then specifies how things should be
implemented.

Most GDPR implementations that are so annoying are actually wrong.

~~~
Semaphor
Are there annoying ones that are compliant?

~~~
di4na
Nope. If it is annoying, then it is not an informed consent acceptable opt-in
because you are pushed into accepting to make it go away.

