
Open-Sourcing our GDPR Compliance Preparation For Articles 30, 32, and 35 - homarp
https://blog.everlaw.com/2018/03/05/gdpr-compliance-preparation-articles-30-32-35/
======
scrollaway
I found one of the toughest things about GDPR is determining what is or isn't
personal data, when dealing with less common types of data.

R6DB for example, a video game stats website, decided to shut down [1] due to
unknown territory over whether or not player account IDs and statistics they
were scraping from official APIs, are "personal data". (They have now reversed
their decision to shut down I believe)

As soon as you leave the classic Website tracking/Product usage categories,
the definitions get murkier. If I shoot a GDPR data request to eg. Blizzard,
do they have to give me any game/stats history they have on me?

[1] [https://medium.com/@r6db/r6db-is-shutting-down-
db1b59b031ac](https://medium.com/@r6db/r6db-is-shutting-down-db1b59b031ac)

~~~
throwaway13456
I'm surprised no one has brought this up (yet). GDPR is super expensive to
remain compliant, simply because of the broadness of the terms used, leading
to undefined scope of liability.

As one other HNer previously mentioned, the cheapest way to stay compliant
with GDPR is to completely block access to EU customers. In fact, this is what
I did with my business. I redirect to a generic text file (not even a HTML
that could trigger a GDPR clause by itself) explaining my stance.

Don't worry about false equivalence that many will raise "So, you don't care
about our data HUH?". The intentions behind GDPR may be good. But, the roadmap
seems completely stupid. Many think blocking EU customers is an arrogant move.
No, it's not. Not everyone has the finance and time to comply with GDPR. A
typical re-implementation of our web application will cost us weeks if not
months, for example. That could be time spent building features customers
want, not fighting some vague elitist law (comply with us or else you're
doomed!). If enough business owners block access to EU customers, then, EU
will lose a lot of business and that will trigger them to hopefully do
something about the vagueness of GDPR. I don't even live in EU, for instance,
yet this re-implementation will cost me tens of thousands of dollars
(translating my time) that the EU isn't going to pay me for their vagueness.

I've had enough of GDPR. I know many EU HNers will not agree, but please
consider putting yourself in a solo founder's shoes.

~~~
fcarraldo
If you are a solo founder without any business presence in the EU, or clients
in the EU, you have nothing to worry about. Blocking EU site visitors is
unnecessary, and GDPR covers this in clear language.

What about reimplementing will cost you tens of thousands? That implies you
either have a heavy use of personal data without a legitimate interest or have
significantly misunderstood the requirements laid out in GDPR.

~~~
tripletao
Let's say I operate a website where you can sign up with an email address, and
I'll send you recipes. The recipes call out specific brands of ingredients.
The vendors who sell those brands pay me for this service. I and my server are
in the USA. Additionally:

1\. My food vendors operate (a) all only in the EU; or (b) mostly worldwide,
but one operates only in the EU; or (c) all worldwide; or (d) all only in the
USA, but an independent third party imports many of their products into the
EU.

2\. My recipes are for (a) only French food; or (b) all kinds of food.

3\. My email includes descriptions of the restaurants that originated the
recipes. These restaurants are (a) all in France; or (b) about half in France,
half in New Orleans; or (c) all in New Orleans. (New Orleans is an American
city with strong French influence on its culture, and a francophone minority.)

4\. The recipes are distributed in (a) French only; or (b) English and French;
or (c) English only.

5\. I advertise my site (a) with a run-of-network ad that shows mostly in the
USA, but also on a French newspaper; (b) on a small blog whose American
operator doesn't track its audience, but that I've heard is popular in France;
(c) not at all, relying on word of mouth.

So I've set out 4×2×3×3×3 = 216 cases. In which of them am I subject to the
GDPR? What factors or combinations of factors are determining? If I asked this
question of two lawyers, how closely would you expect their answers to agree?
What confidence would they express that their answers would agree with the
regulator?

I think the people who think GDPR compliance is easy are saying to themselves,
"If I behave in accordance with these general principles as I understand them,
then the regulator will see me for the good person that I am and I'll be
okay". That may be true, but it's not law.

~~~
scrollaway
You have EU customer emails. You're subject to gdpr in all of them. None of
the factors you suggested matter. Store your emails properly, have unsubscribe
links, answer data requests.

You just gave one of the most straightforward cases...

~~~
tripletao
The post above said:

> If you are a solo founder without any business presence in the EU, or
> clients in the EU, you have nothing to worry about. Blocking EU site
> visitors is unnecessary, and GDPR covers this in clear language.

Do you think this statement is correct or incorrect? If you think it's
incorrect, then why are you interpreting the "clear language" of the GDPR
differently from its poster? (I personally think the statement is either
incorrect or too vague to assess.)

If you think the statement is correct--I presume, because you think that as
soon as an EU visitor signs up, you have a "client" or "business presence" in
the EU--then what meaning does that poster's statement convey? Does it mean
anything more than "blocking EU visitors is unnecessary, as long as you have
zero EU visitors", a true and entirely meaningless statement?

Or are you saying that the email address makes this different from just a
visitor? Even if my server is a typical default configuration that logs time
and IP for each visit? Even if my ad network logs tracking cookies? Even if a
data broker exists somewhere who could map that information to a real name?
Even if I buy that data?

And, for clarity: What about the case where the website (1) calls out only
products with authorized distributors only in the USA, (2) has recipes for all
kinds of food, (3) describes restaurants only in the USA, (4) is in English
only, and (5) isn't advertised makes it subject to the GDPR? The EU says in an
example that:

> Your company is service provider based outside the EU. It provides services
> to customers outside the EU. Its clients can use its services when they
> travel to other countries, including within the EU. Provided your company
> doesn't specifically target its services at individuals in the EU, it is not
> subject to the rules of the GDPR.

[https://ec.europa.eu/info/law/law-topic/data-
protection/refo...](https://ec.europa.eu/info/law/law-topic/data-
protection/reform/rules-business-and-organisations/application-regulation/who-
does-data-protection-law-apply_en)

Do you agree with this guidance? If yes, what factor constitutes the specific
targeting? Or does the "travel" language mean we exclude only non-EU residents
who temporarily visit the EU? Also EU residents who sign up while in the USA,
but then return home? But not EU residents who sign up while in the EU?

How sure are you that your answer is correct? I get that you're sure that it's
morally right, and complying is always the conservative choice; but what
probability would you assign that an EU court would reach your same
conclusion, that all 216 cases are subject to the GPDR?

And since any suggestion that the GDPR is less than perfect attracts angry
reactions: I am not asking whether it's a good idea to comply with the general
spirit of the GDPR for all visitors worldwide, and I think the answer to that
question is yes. I'm asking what the law says. I think the rule of law is
important, and I'd venture that most people who have lived in countries with
and without it would agree.

~~~
scrollaway
It is correct and it is clear. If you have customers in the EU, gdpr matters.
If you don't, it doesn't. And either way, you should strive to follow it,
because GDPR's rules really are a set of common sense things you should have
been doing all along:

\- Store your stuff properly (encrypt sensitive data)

\- Allow users to download their data

\- Allow users to delete their data

\- Have a clear privacy policy

\- Offer ways to opt out of marketing

~~~
tripletao
I said explicitly that I'm not trying to debate what's morally right, or good
for business (since I agree that good privacy practices are both of those).
I'm asking what is the law.

> If you have customers in the EU, gdpr matters. If you don't, it doesn't.

Either this is false, or you've adopted an unusual definition of the word
"customer". The email recipients don't give me money, but even I agree that
e.g. if I promote my site with advertisements only on EU sites, and know or
should know that most of my recipients are EU residents in the EU, then it's
relatively clear that I'm subject to the GDPR.

Lawyers care about precision of language, because people's lives are at stake.
It's not useful to discuss legal matters without that precision.

I guess you're certain enough that all my previous examples are subject to the
GDPR that you don't think it's worth discussing why, since you didn't answer
any of my questions. How about:

I. I run the website that (1) calls out only products with authorized
distributors only in the USA, (2) has recipes for all kinds of food, (3)
describes restaurants only in the USA, (4) is in English only, and (5) is
advertised on American newspaper websites; but I take no specific measures to
exclude EU visitors? I think you think I'm subject to the GDPR.

II. Same as II., but I block EU IP addresses?

III. Same as II., but I ask the remaining people if they're subject to the
GDPR, and block them if they say yes?

IV. Same as III., but I require a credit card with an American billing
address?

V. Same as IV., but I require evidence of legal American residence (e.g., a
scan of a US passport of visa)?

Are you able to answer these questions? Or does it just not bother you that
you can't, because compliance with the GDPR serves a purpose you agree with?

What do you understand by the phrase "rule of law"? Do you think it's
important? Hungary is an EU country. Its prime minister has described George
Soros, the founder of the Open Society Foundation, as an "enemy of the state".
If you ran an organization publicly associated with the OSF in Hungary, then
how would a notice of a GDPR investigation from your government make you feel?
Wouldn't you feel better if the rules gave the regulator less room to
maneuver?

~~~
icedchai
Here's what I would do: Nothing. You're in the USA. Your site is in the USA.
Don't worry about it. If you receive any undesired correspondence about the
GDPR, treat it like you would any other junk mail.

------
hodgesrm
Thanks for posting. This does not look all that different from PCI compliance,
though the scope of data involved is larger and as others have observed
there's some ambiguity about coverage that will need to be worked out in
practice.

Editorially speaking I'm glad to see this emerge even though it means more
work for me personally. If anything some of the fines seem too low. (I'm
looking at you, Equifax.)

~~~
zerostar07
Speaking of which, how would the Equifax breach have been affected by GDPR ?
My understanding is that they had legitimate reason to request and store that
data, and GDPR is not some magic tool that prevents breaches.

~~~
hodgesrm
I'm just a beginner on the GDPR but here's a few things I got out just of the
Everlaw link.

1.) Protect the data with methods corresponding the risk level (Articles 32
and 35)

2.) Enable users to erase, correct, or transfer data at will (Article 15)

3.) Enable users to consent to use of their data in the first place (Article
15)

So yes, it seems it would have been quite applicable.

~~~
jdietrich
Also:

4.) Notify the supervisory authority of any data breach within 72 hours
(Article 33)

5.) Notify the subject of any data breach without undue delay (Article 34)

And the broader issue of remedies and penalties in Chapter 8.

------
michaelbuckbee
TL;DR: It's a spreadsheet to help you list out what personal data you keep in
your organization, who has access to it, how it's secured, how long you plan
on keeping it and what you intend to do with it.

MORE: I'm not trying to be dismissive, it's great! And whether or not you're
going full-on trying to get GDPR compliant or not, it's _really_ hard to think
of a scenario where taking the time to think and document your data handling
and security isn't a net positive for the security posture of your
application.

When you dig into the GDPR [1] you find that a lot of it is like this: common
sense stuff that you'd hope everyone was doing already, but apparently aren't.

\- Tell People what you're going to do with their data

\- Don't do other stuff with it than what you told them

\- Keep it secure

\- Don't give it to other companies that might do things with it you didn't
tell people about

\- If you lose control of it in a data breach: tell them

\- If they ask you for their data, give it to them

\- If they ask you to delete their data, delete it

1 - [https://blog.varonis.com/gdpr-requirements-list-in-plain-
eng...](https://blog.varonis.com/gdpr-requirements-list-in-plain-english/)

~~~
rdlecler1
It’s the implementation that is difficult. For example, if someone wants their
data deleted I need to go delete all of the email correspondence, I need to
delete them from applications like Google Analytics. If I follow them on
Twitter or interacted with the on Twitter I need to delete those posts. Oh and
then there are backup archives that I now need to scrub. The point being is a
lot of data is not well assembled and cleaned for deletion which is why data
analytics on your existing data is so hard in the first place!

~~~
Matticus_Rex
And the difficulty can rise exponentially if you have a giant stack that
wasn't designed with GDPR in mind (though it may be totally benign in its risk
towards data subjects) and which cannot be easily disentangled to comply with
some of these requirements.

~~~
linker3000
Opinion on the matter:

"The GDPR however does make a small concession to companies in this case: the
steps they need to take in this direction are limited to the available
technology and the cost of its implementation. Organizations must take
reasonable measures to ensure processors are aware of the request, but will
not be at fault if the data is not completely erased by third parties."

[https://www.endpointprotector.com/blog/gdpr-essentials-
the-r...](https://www.endpointprotector.com/blog/gdpr-essentials-the-right-to-
erasure-who-can-request-it-and-how-is-it-applied/)

~~~
Matticus_Rex
The vaguery there is the problem. I know how I would decide if it were up to
me, but if a supervisory authority comes calling, that's just my argument, and
they almost certainly have a preset opinion about what is reasonable.

------
jiveturkey
> _We are sharing this with anyone who wants to use it! Why?_

[Their answer amounts to "because".]

Because they've gotten all the internal value out of it, and now with the
deadline here, they can get maximum value out of it by "open-sourcing". Sorry
to be so cynical, I'm so sick of this style of embedded advertisement.

That said, I do rather like the simple format of their template. Although
their handling of "security" is too thin to be useful in any way, I will
otherwise integrate their templates into our current documentary processes,
which are awful by comparison.

------
jv22222
Let's say you're a small bootstrapped Indi Hacker style SaaS.

You have a few hundred customers and maybe 10 of those are in Europe.

Would that company need to worry about complying? How much should they worry?

~~~
coreyoconnor
Regardless of the size of organization, GDPR applies. In particular, note the
section "Right of Access":

* [https://en.wikipedia.org/wiki/General_Data_Protection_Regula...](https://en.wikipedia.org/wiki/General_Data_Protection_Regulation#Right_of_access)

Which requires the organization to supply information about use of personal
information. This will have an operational overhead regardless of scope of
Personal Information used.

For a worse-case (hopefully impossible) variant of what this request looks
like: [https://www.linkedin.com/pulse/nightmare-letter-subject-
acce...](https://www.linkedin.com/pulse/nightmare-letter-subject-access-
request-under-gdpr-karbaliotis/)

Oh please somebody correct me if I'm wrong. Otherwise that's a silly amount of
operational overhead for bootstrapping. Even for systems designed from the
start to not use personal data: The org would still need to handle a rather
detailed and costly administrative request.

~~~
jv22222
Wow that article is scary. Even worse would be "remove all my data from all
your backups".

------
jacquesm
Very happy to see this made public, the focus on data life-cycle management is
a good one and it is actionable which makes it even better.

------
Radim
Before _" Who owns and controls the personal data we collect?"_, there has to
be _" What personal data do we keep, in actual reality?"_

That is, personal data discovery.

Emails, archives, cloud storages… it can be hard to be sure when relying on
just human introspection or wishful thinking. Especially for larger
organizations.

Automated discovery tools help -- we built pii-tools.com, an AI–assisted tool
to locate personal information across corporate assets. If you're having
trouble filling in spreadsheets like this with actual data, get in touch
(contact in profile).

