
Ask HN: How to comply with EU GDPR? - bruinjoe
My application needs to store the user&#x27;s first name, last name, and email address to customize the user&#x27;s experience.  Europe&#x27;s new General Data Protection Regulation (GDPR) law requires that the application not store any data that can identify the user.  Any suggestion how the application can comply with the law but also retain the customization based on an individual user?
======
termsfeed
GDPR allows you to store user data. It just adds more requirements about the
collection, usage and sharing of user data.

For example, it emphasizes getting proper consent from users ("active
consent"). You can find examples of this under the name "clickwrap", which is
the "I agree to..." type of checkbox. [1] ; There are also additional
requirements to keep in mind for your app [2]

\- You need to disclose data retention (how long are you planning to retain
user data) \- User choices \- Disclosing if you're the data controller or data
processor \- Disclosing the data processors you work with (Google Analytics,
Mixpanel)

[1] [https://termsfeed.com/blog/browsewrap-
clickwrap/](https://termsfeed.com/blog/browsewrap-clickwrap/)

[2] [https://www.slideshare.net/termsfeed/gdpr-privacy-
policy](https://www.slideshare.net/termsfeed/gdpr-privacy-policy)

------
mtmail
You're allowed to store personalized information. The GDPR is about getting
consent from the user (active opt-in), document how you use the data
(including to whom you share it to), give the user an option to request any
information you store about them, and deleting that data after use (e.g. when
a user cancels their account).

------
billconan
How will EU enforce it? Say I run a small forum website from the States. Will
they censor it if I don’t comply?

As much as I want to comply to it, I found it’s difficult to comprehend its
requirements and translate them into concrete code.

~~~
nynno
They have the mechanisms to force (EU) law compliance, so far big enterprises
(e.g., Amazon, Facebook, Google, ...) has been fined with billions of EUR,
even though these companies are from the States. I believe that micro/small
business, if not inside the EU, can go under the radar.

However, GDPR is so big, and it's here to stay, and my opinion is that will,
in the years to come, the way how companies handled personal data, not only
for EU citizens.

One interesting aspect of the GDPR is that you, for example, as a processor,
must be compliant so that I, as a controller, will work with you. If you think
about that, it will soon be evident that GDPR compliance can be strictly a
business decision, like ISO certification.

