
Ask HN: Small web site owners, how do you deal with the GDPR? - nils-m-holm
I&#x27;m running a small, static, non-commercial website (http:&#x2F;&#x2F;t3x.org) and I&#x27;m currently investigating options for dealing with the new General Data Protection Regulation, which looks like a minefield to me that opens the door for all kinds of dubious C&amp;D letters.<p>So far I have thought about:<p>- contacting a lawyer to work out a proper data privacy statement, but I don&#x27;t think I can afford this<p>- deactivating the server logfiles so that the site <i>really</i> does not store any user-related data (is this really safe?)<p>- shutting down the site (currently most probable)<p>How do you deal with the situation?
======
vorhalas
Do I understand correctly that your concern is about the logs? You can set up
an Amazon S3 static website, and no logs will be collected, unless you enable
it. The first year is free, and after that it's pennies a month. I use this,
plus Route 53 DNS, and my total bill each month is ~ $0.54 (US), with $0.51
for Route 53.

If you need other options to cut cost, freedns.afraid.org offers free
subdomains under ~68000 second level domains.

------
AlexeyBrin
A few alternatives:

* Move your site to Github, it is free and you get a domain like your_username.github.io. Works great for static websites.

* With less than $100 per year you can buy a .com domain name from a US registrar and a cheap VPS on DigitalOcean or Linode, chose a VPS from US or some other now European jurisdiction.

* Another free approach, host it on Azure see [https://buildazure.com/2016/08/25/free-website-hosting-in-mi...](https://buildazure.com/2016/08/25/free-website-hosting-in-microsoft-azure/) for an example.

------
LinuxBender
This is just my own methodology that I have always followed for my own person
hobby sites, but I don't imagine many people do this, nor would they, nor
should they.

I log access to a ram disk and truncate the logs daily. If I start having
issues that require keeping logs, I rsync to a secure location or rotate until
x percentage of ramdisk is full.

My machines boot up and bootstrap their static content, cgi scripts, etc, from
a git repo over a VPN link. They dynamically format a data volume using a long
random key that I have no knowledge of. The end goal being ephemeral and
cattle. If I need to back up anything in a data volume, I do so over a VPN
link.

Again, this is just my lunatic method and has never been tested in a legal
case. I could argue a thousand reasons to not use my methods and only a few
hundred to use them.

------
detaro
I see your hoster has plans for a dataprocessing agreement, I'd look into
that: [https://www.manitu.de/unternehmen/eu-datenschutz-
grundverord...](https://www.manitu.de/unternehmen/eu-datenschutz-
grundverordnung-dsgvo/) (should be easy enough, and answers on what basis they
store your logs)

If your hoster allows you to change whats in the log files you could look into
that too (e.g. don't log full IPs, or delete them after 2 weeks and only keep
unpersonalized access logs longer: right now it's not entirely clear from the
purposes you list why you need to keep IPs at all).

Not sure if you're supposed to have a German version too, despite your site
being in English. (unrelated to GDPR)

~~~
nils-m-holm
I have no control over the log files other than being able to edit and remove
them manually.

------
icedchai
I recommend doing _absolutely nothing._ Nobody is going to come after your
obscure personal site.

~~~
nils-m-holm
In Germany, there are lots of shady lawyers that will scrape the net and come
after everyone from whom they an extract a few hundred euros. Sending dubious
C&D's is a viable business model in Germany.

~~~
icedchai
Is it enforceable? If you get a letter in the mail, throw it in the garbage.
They'll move on to easier prey.

~~~
nils-m-holm
It is enforceable. I know a few people who have been in court over things like
this.

