
How GDPR Will Change The Way You Develop - _petronius
https://www.smashingmagazine.com/2018/02/gdpr-for-web-developers/
======
agar
While this article is interesting, I strongly encourage anyone - from CEOs, to
managers, to individual developers - to actually read the text of the GDPR.

This is not written in unintelligible legal-ese. It is very approachable,
understandable by a layman, and organized such that relevant Articles are easy
to find.

It might take an hour or two, yet may have a fundamental impact on how you
approach your job for the foreseeable future. Time very well spent.

Here is an accessible version of it: [https://gdpr-info.eu/](https://gdpr-
info.eu/)

EDIT: for clarity, that site is accessible from an organizational point of
view (i.e., broken out by articles, not one long string of text). I do not
know if it is accessible by screen readers or alternate input devices.

~~~
ec109685
If you work for a big company and are not a lawyer, you should listen to your
lawyers and not try to interpret the law yourself. There are pitfalls and
misunderstanding you will run into otherwise. If your company is large enough,
they should meet with privacy regulators and work with them to show them
implementation decisions and make sure the regulators are in alignment with
the approach taken.

------
aeorgnoieang
What's troubling to me is that it's very unclear what _specifically_ is
required. I know the linked post isn't legal advice, but in the page about
'privacy by design' linked to by the origin link, they list "Minimize the
amount of collected data" as as an item (supposedly to be achieved to be in
compliance with the law).

What's the minimum amount of data? Who decides that? Is it dependent on
context? I'd hope so!

Can any site just 'do an end run around' the law by requiring their users to
agree to allow them to collect whatever data they collect now or that they've
already collected? If so, that seems like it'd be likely as helpful as current
terms of service.

Another item mentioned is "Where possible, pseudonymize personal data.".
What's a practical example of that?

Yet another item – "Don’t enable social media sharing by default.". Is the
thinking that user's shouldn't be able to share something via social media
without first explicitly enabling that option? That just seem unfriendly. Or
is the idea that doing so protects someone from doing so accidentally? This
seems a lot like the 'cookie law', itself an annoying mandated nagging that
probably backfired (because everyone was effectively trained to just do
whatever necessary to get rid of the corresponding notification on every site
they visited).

Again from the privacy-by-design page:

> There is no checklist of ready-made questions that will get you there;
> General Data Protection Regulation requires developers to come up with the
> questions as well as the answers.

That's a really unsettling description of a _law_.

~~~
lmkg
> ...they list "Minimize the amount of collected data" as as an item
> (supposedly to be achieved to be in compliance with the law).

> What's the minimum amount of data? Who decides that? Is it dependent on
> context? I'd hope so!

The GDPR says when you collect data, you have to tell the user what you intend
to use it for. "Minimization" applies within the context of those stated uses.
So if your business purpose is to mail something to the customer, full
physical address is OK to collect. If your business purpose is to help them
find a nearby store location, you may be expected to collect something less
granular like ZIP code or metro area, depending on how many locations you
have.

As a corollary, if you can't link a piece of data to a business use, you
shouldn't be collecting it. This was a good idea before, but GDPR makes it
more relevant.

Note that this is similar to the ethical guidelines for medical research.
"Harm Minimization" is a central pillar of ethical research. Harm, and risk of
harm, is acceptable, but there is an affirmative duty to seek the least-
harmful means of achieving your goal from those available.

> That's a really unsettling description of a law.

That's how HIPAA works, actually. I have a professor who argues this model of
legislation is more effective than traditional sector-specific regulation,
because it puts the onus of subject-matter expertise onto the people who are
actually subject-matter experts, and because it allows for creative and
adaptive solutions.

~~~
dominotw
my company seems to be going on a encrypt everything spree. I am not sure how
GDPR requires encryption.

Can you be GDPR complaint ( in theory) with zero encryption?

~~~
Radim
Of course—if you don't store personal data (trivially).

In fact, encryption (security) is mostly orthogonal to how you track and
handle personal and sensitive data (privacy protection). You could encrypt
everything and still be wildly GDPR non-compliant, if the encrypted
information you're storing lacks clear purpose and explicit consent.

~~~
wglb
To further emphasize your point _You could encrypt everything and still be
wildly GDPR non-compliant_ , we need to be able to respond to a request by
each and every individual user to delete the information that they no longer
wish us to carry.

~~~
gnud
... unless you actually need that data (billing for past services, keeping
records as required by law, etc).

------
mfoy_
>GDPR will require developers to know the legal and policy landscape of their
profession. (This has been the norm for other fields for centuries: how
embarrassing for us.)

Favourite takeaway.

~~~
aeorgnoieang
I thought that was needlessly snarky. I'm pretty sure other fields rely on
lawyers to know the relevant legal landscape just like we do.

~~~
mfoy_
No. Professionals in engineering or the trades have to know the regulations
that govern their industry and abide by them.

What many SVers call "innovation", other industries would call "reckless".

How embarrassing for us!

EDIT: In terms of regulation, we're practically chiropractors.

~~~
sbov
The comparison is disingenuous. The internet makes anything you build
automatically global. You're blasting software engineers for not knowing
worldwide regulations. How many New York lawyers know the regulations of
France? How many local UK construction companies know the building codes of
Japan? None.

Knowing all regulations in the world for any given industry would be a full
time job. The people you seem to be implying exist do not exist.

~~~
floatrock
> How many New York lawyers know the regulations of France?

New York lawyers _who do business in_ France do.

If you're accepting ~dollars~ euros to place French ads on your pages
targeting French customers, seems reasonable to know the relevant French
regulations.

~~~
freeone3000
It's a bit more strict than that. If I have customers in France, this affects
me, no matter how many, no matter if it's one dude in Florida who happens to
also be French. The reach is absurd.

~~~
jopsen
Is the reach more absurd than what US court claim?

~~~
wyager
The worst transgressions of US courts shouldn’t be the standard we aim for.

~~~
jopsen
Fair point!

------
whack
Suppose you were a small startup based in America, accepting online payments
from users/advertisers using American platforms or financial institutions.
Suppose you make no effort to comply with GPDR - what realistic consequences
can you face?

I suspect that this is the kind of thing which larger/established companies
would worry about. If you're a seed/series-A startup, it seems like you have
far more important things to focus on, because there's nothing that the EU can
realistically do to you anyway.

~~~
estel
If your company is not targeting the EU as a market you are out of scope of
GDPR.

If you explicitly accept Sterling/Euros, provide localisations for EU
countries, talk explicitly about your EU shipping options etc. then you would
probably be seen as accommodating the EU market and might find yourself in
scope.

~~~
wglb
Consider the case of an EU citizen traveling in the US transaction in USD.
This person is covered. Even if they are in the US.

~~~
wuliwong
This is exactly what I was coming to HN to query about. Without some agreement
with the US federal government, I don't believe they would have any mechanism
of enforcement that would affect your business in the U.S. I imagine they
could do something like block your site from EU ip addresses but nothing like
coming after you or your company for damages.

~~~
freeone3000
This sort of argument is like saying you can commit murder then flee to
Algeria, and the US will have no mechanism of enforcement. It's true, but
heaven help you if they figure some mechanism out.

------
chacham15
Is it just me or does this article manage to give advice while saying nothing
at all about what is required?

For example:

> The first half is the General Data Protection Regulation (GDPR), which
> becomes enforceable across Europe on 25 May 2018. This is an overhaul,
> modernization, and replacement of the existing framework, the Data
> Protection Directive of 1995 (yes, 1995.)

> All of the existing principles from the original Directive stay with us
> under GDPR. What GDPR adds is new definitions and requirements to reflect
> changes in technology which simply did not exist in the dialup era. It also
> tightens up requirements for transparency, disclosure, and process: lessons
> learned from 23 years of experience.

It's talking about the new definitions and requirements, but says nothing
about what they are!

~~~
jacquesm
You could simply go and read the GDPR text. It's actually ok. Compared to say
the Verified-by-VISA spec :)

~~~
e12e
Aye. There's a nicely formatted (non official, hosted by a consulting company)
at:

[https://gdpr-info.eu/](https://gdpr-info.eu/)

I also suggest reading a report that's helped inform the text of the GDPR:

"Privacy and Data Protection by Design":

[https://www.enisa.europa.eu/publications/privacy-and-data-
pr...](https://www.enisa.europa.eu/publications/privacy-and-data-protection-
by-design)

------
jimnotgym
I have been through a number of GDPR resources and seminars and I am still of
the opinion that there is nothing in it to worry people who are acting in good
faith with their customers data. The organisations fined under existing laws
seem to have been breathtakingly negligent or just deliberately callous.

~~~
Eridrus
Q: would I still be able to keep session logs of user journeys through my site
without explicit consent? If not, this seems like huge issue for ecommerce
analytics. If I need to obtain explicit consent, that the user isn't required
to provide to continue accessing the site then I don't see how these
technologies are not basically dead in the EU.

Can you even legally do a customer churn analysis under the GDPR without
explicit consent?

One of the biggest complaints I have about this is that the uses for data keep
growing, and legally, you can't even test a hypothesis before getting consent,
which you won't be able to do frequently because users hate being asked about
anything.

My intuitive response to this law is to want to split my data into EU/non-EU
parts, do all my work on the non-EU parts and hope that the insights gained
there can be applied to EU users.

~~~
ec109685
No, put up a “trap” page, tell the user you need to collect certain data to
operate the site and make the user clicks Accept before they can use your it.

~~~
Eridrus
I think the GDPR explicitly forbids that; if your site doesn't need the data
to keep functioning, it can't just stop working.

------
Radim
Funnily, one of the common fears our clients ([https://gdpr-
tools.eu](https://gdpr-tools.eu)) have with regards to GDPR is not about the
general public. It comes from disgruntled employees ratting on the company.

Employees know best where personal data is stored (and often no one else in
the company does), so they can really do some surgical damage by reporting
their employer to the "authorities". GDPR introduces a whole new dynamic.

~~~
vkou
This is the case for every law. A disgruntled[1] employee at a coffee shop
that has mold growing on the kitchen ceiling can, after being ignored by
management for weeks, rat on the company. (And then get shitcanned, with no
recourse, because none of their co-workers will testify to the truth on their
behalf, because they are cowards who don't want to lose their jobs.
Understandable, but sad.)

This doesn't mean that we don't need food health and safety inspection laws.
It does mean that you actually need to run your business in a way that
respects your customers.

Stop running your company with the attitude of "It's fine, as long as I can
get away with it." I have no sympathy for that.

[1] You can be a disgruntled employee, and also be 100% in the right, if your
boss is behaving illegally.

------
Azeralthefallen
I am curious, if you offered a service that allowed users to post their own
data to your service. How do you protect against customers posting data that
violates the GDPR. I.e. peoples personal information being posted in
plaintext?

Is this type of case covered by the GDPR?

Also how are things like access logs supposed to handled according to the
GDPR? Our software records all requests made to our API, they log your userid,
ip address, and what you were trying to do.

We have clients who are in the US who required the above feature for auditing
purposes.

~~~
the_mitsuhiko
> I am curious, if you offered a service that allowed users to post their own
> data to your service. How do you protect against customers posting data that
> violates the GDPR. I.e. peoples personal information being posted in
> plaintext?

You ensure that those users have a way to delete the data again.

~~~
jcadam
I'd actually considered implementing a "soft delete" function for my service
(knowledge management SaaS), out of fear that a user would accidentally delete
something important.

Now with GDPR pending, I think I won't. I'll just leave my 'no sh*t delete'
function in place. If I get a request to restore any data I can say, "Sorry,
the Europeans made me burn your data when you unwittingly clicked the red
'delete' button (as well as the confirmation dialog you didn't read)."

~~~
gnud
If you purge soft-deleted records after (say) 2 months, and don't use those
records for anything unless they are undeleted by the users request, I don't
think that should cause any problems with GDPR.

Of course, IANAL.

------
AndrewKemendo
I've been digging into GDPR for the last year or so and the major conclusion I
came away with was that, in effect, it is a massive effort to educate the
population about data collection and processing online while also beefing up
guarantees for data security.

As in, it's not illegal to to do most of the same things we do now with data,
however we now need to educate our users on what data we are using and exactly
how we are using it, in a way that is understandable to the average user.

With all due respect to the average user, I cannot fathom how anyone doing
anything with user data more complicated than a basic record will explain it
simply enough to be in compliance.

------
setra
In this article the author states: "The latter definition is important for
developers. It includes things like IP addresses, mobile device IDs, browser
fingerprints, RFID tags, MAC addresses, cookies, telemetry, user account IDs,
and any other form of system-generated data which identifies a natural
person.". This information does NOT automatically qualify as personal data.
Information being unique is not the same as personally identifiable. A random
cookie sent by the browser is not PII. A cookie stored in conjunction with say
an email address could be.

Certain information can be classified as PII if it possible to cross reference
it with other stored information to identity a user. For example a European
court in a recent ruling stated that a full IP address could be considered PII
because an ISP would have a record of IP address and time with a persons name.

~~~
robin_reala
Are you mixing up ‘personal data’ and ‘personally identifiable information’ (a
US legal concept that differs from the EU definition of personal data)?

~~~
setra
No, I am simply using shortened text not the USA PII legal concept. GDPR has
many more restrictions than the USA concept of PII.

~~~
_o_
To me it seems quite simple, if the information can be used to identify user
it is personal information and you need explanation why you need it and opt
in. If this is a problem for you, maybe avoid collecting what you don't need.
The idea of "collect everything and audio & canvas fingerprint them, maybe I
will need it later" wont pass, you will never get consent. Collect only what
you really need.

------
paulsutter
I’d love to understand GPDR but this article isn’t helping. Can anyone suggest
something more focused and direct?

~~~
_o_
Very simplified, you can not use or give personal data to someone else without
optin given consent (where you must state in non legal, non tech speech for
what they will be used) and same goes for enabling others (ad networks,
google,..) to get those data. Or you are breaking the law. Further, user must
be allowed to view, change or delete those data and remove consent to use them
in whole chain (your site, ad network used on your site,...) Furthermore the
consent must be freely given (forget trackwalls).

~~~
wastedhours
And also, there's also the slightly grey-area requirement that (if you're
using it as your legal basis) consent should not be required in order to
utilise your product, merely to utilise the feature set that requires the
data.

If you need everything, then you'll need to use "fulfilment of a contract" as
the basis, and in that case, you probably need to make your ToS pretty tight
too.

~~~
hanrelan
Question about the freely given consent - Say I'm a car company like Tesla and
I collect telemetry from the car to train a self-driving car model. I ask the
user for consent to collect this data to train the self-driving model.

For the users that refuse this consent, can I prevent them from accessing the
self-driving feature of the car? If not, how would the company deal with the
free-rider problem - nobody opts in because they want their privacy but they
also want the feature?

~~~
wastedhours
In that instance, I (personally, IANAL) wouldn't use consent as the legal
basis. You could (esp with a legal team like Tesla could afford) pretty easily
work that into either fulfilment of a contract, or legitimate interests.

AI and ML have to be careful [0], as you need to be explicit about the data's
use and impact on the end-user. The most given example for this is ML algos
that determine eligibility for financial products, but we could probably twist
that Tesla example to fit a similar to be "my data is used to inform an algo
that determines what the car does in a dangerous situation", so you might have
to abide by rights to explanation and data editing.

[0] [https://ico.org.uk/for-organisations/guide-to-the-general-
da...](https://ico.org.uk/for-organisations/guide-to-the-general-data-
protection-regulation-gdpr/individual-rights/rights-related-to-automated-
decision-making-including-profiling/)

------
chasb
GDPR has a lot of parallels to HIPAA and SOC 2. Many developers here have
worked with companies subject to HIPAA, or that do SOC 2 reporting.

One big difference is that the material scope of GDPR is so extremely broad:
it regulates any PII that can be touched by EU law. That's important because
it means that all of your SaaS vendors that touch this data may be in scope,
not just your hosting stack. If you're marketing or selling in the EU, your
entire growth/CRM/customer success stack will be regulated. If you have EU
employees or contractors, all of their HR data is covered. I'm not sure if
most companies realize this. It may be less of a problem for B2B, we'll see.

Questions to ask yourself: What is the scope of GDPR personal data across your
business? Are you marketing in Europe? Are you selling into Europe? What
business processes touch that data?

------
kerng
What I like about GDPR is that it might help change the mindset that storing
customer data is purel an asset - it should be a liability. Hopefully other
countries will ratify similar laws. Then something like the Equifax breach
could go unpunished!

------
shkkmo
Does this make Apache access logs illegal?

1) There isn't any way to "opt-in" to them

2) You would need to have a tool to remove every entry for an IP address when
requested?

~~~
shkkmo
It looks like the answer is yes:

[https://www.ctrl.blog/entry/gdpr-web-server-
logs](https://www.ctrl.blog/entry/gdpr-web-server-logs)

------
elcapitan
I wonder if we will see a kind of dual universe privacy in implementations
once countries like China become equal as a market for internet services, and
they create some sort of a reverse GDPR law. Then for all customers from the
EU you will have to completely anonymize and protect all data to the last bit,
while for Chinese customers you'll have to implement the most rigid and total
tracking possible?

~~~
s73v3r_
Perhaps separate subsidiaries for the EU, which does respect the GDPR, and one
for China, which tracks everything that could be tracked?

~~~
PeterisP
How would that be useful to you?

The EU subsidiary would not be legally able to use any of that data (it can't
take it from the China subsidiary in any way whatsoever); and the China
subsidiary would not be practically able to use any of that data, since they
don't have any users/customers in EU.

~~~
s73v3r_
The China subsidiary would be able to use the data in China, to advertise and
acquire more Chinese customers.

Of course, I suggested that more for the situation where the EU had data
privacy laws, and China required intense tracking of customers.

~~~
PeterisP
You don't need subsidiaries for that.

GDPR would apply if an _EU_ company would track people in China (Article 3
section 1); it would apply if an multinational company tracks people in EU
when offering goods or services to them (Article 3 section 2); but it wouldn't
apply when that same multinational company tracks people in China.

I.e. Facebook can be fully GDPR compliant if it applies the privacy
requirements only to people in EU and gratuitously violates the privacy of
everyone else.

Furthermore, if China has a _legal requirement_ for intense tracking of
customers (I'm not sure what their legal requirements are), then GDPR would
allow an EU company to do that without consent. (Article 6, 1c : "Processing
shall be lawful [..] if ... processing is necessary for compliance with a
legal obligation to which the controller is subject")

------
tibu
Typo in the title: GPDR vs GDPR

------
77pt77
How would this be enforceable for companies that have their headquarters only
in the USA even if they have european users?

Will this also apply for citizens of a EU country living outside the EU?

~~~
danieltillett
The EU is going to send over its army and force you to comply.

My understanding is the GDPR applies to residents of the EU, not just
citizens, and it also applies when they are outside the EU. In practice this
means it is impossible to determine if it applies unless you gather far more
information than you really need from your users - “sorry we have to invade
your privacy to protect your privacy”.

~~~
77pt77
So a US company providing services to a US naturalized citizen in the US that
is also a dual citizen of a country in the EU makes the company liable to
follow these regulations?

That makes no sense.

This sounds unenforceable.

~~~
danieltillett
Yep. It is worse that it can be a EU resident (non-citizen) visiting the the
USA using a USA only service and the law as currently written still applies.
Good luck.

The next fun job is working out how to remove the data from all your backups
when you get a removal request.

I have taken the approach that I will comply with the general intent of the
GDPR (which I did long before it existed), but not try to apply the ridiculous
parts.

~~~
s73v3r_
"Yep. It is worse that it can be a EU resident (non-citizen) visiting the the
USA using a USA only service and the law as currently written still applies.
Good luck."

You're going to have to provide proof to back up that statement.

~~~
danieltillett
The regulations are ridiculously broad [0]. They appear to cover everyone in
the world no matter where they are or what their citizenship. The EU seems to
be aiming for a universal human right.

"The principles of, and rules on the protection of natural persons with regard
to the processing of their personal data should, _whatever their nationality
or residence_ , respect their fundamental rights and freedoms, in particular
their right to the protection of personal data.”

0\. [http://eur-lex.europa.eu/legal-
content/EN/TXT/PDF/?uri=CELEX...](http://eur-lex.europa.eu/legal-
content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN)

~~~
s73v3r_
That's the intro statement. That's like saying the Declaration of Independence
is overly broad because it says that "all men are created equal."

~~~
danieltillett
See my posts down thread for the more detailed clauses.

------
aidos
How are people planning on implementing GDPR at the DB level? What about DB
backups?

~~~
jandrewrogers
This is a great question that unfortunately doesn't have a good answer.
Ignoring the question of backups, GDPR's requirements have the implication of
imposing a workload on database engines that, in most modern architectures, is
either pathologically expensive or not currently possible. Some companies are
approaching this from a "best effort" standpoint rather than conforming to the
spirit of the regulation because the technology simply isn't there to make it
feasible for some cases. I've been working on this problem for the last year
and this is (IMO) a major gap in the regulation; it presumes that something is
possible that isn't for existing applications that are otherwise universally
viewed as harmless and permissible.

Scalable database engines that can support the letter of the GDPR in terms of
data handling don't really exist. This is not a problem that can be trivially
solved by patching an existing database engine; the requirements of strict
GDPR data handling violates fundamental design assumptions of common database
architectures. If you look at, for example, high-assurance databases which
have a similar set of requirements for data handling as GDPR, they are never
used when at all possible because their performance and scalability is
terrible. (These databases are conventional architectures with GDPR-like data
handling controls added.)

A database engine capable of strict conformance with GDPR while maintaining
vaguely comparable performance and scalability relative to what we are used to
would require a comprehensive new database engine design from first
principles. This is something only a small number of people are capable of
designing and implementation would be a very substantial engineering effort.
Possibly a business opportunity -- one of the reasons I've been thinking about
it, having worked on high-assurance databases in the past.

~~~
calcifer
Sorry if this sounds snarky, but you have written 3 whole paragraphs without
saying _what exactly the problem is_.

------
qwerpoiu
A thought I had that I haven't heard elsewhere: this is the EU equivalent of
the Great Firewall - an immensely powerful tool for governments to use against
"foreign" companies that don't have the proper values.

The EU would love to have a tech company that could be compared to Google,
Facebook, or Tencent, but its attempts to create one by fiat (Quaero, for
example) have fallen flat.

The mechanism (legal rather than technical) and the claimed ideals (privacy
rather than anti-pornography) are different, but the effect will be the same.

Depending on your perspective, this represents a tremendous opportunity for
EU-based startups. Your government will almost certainly make things very
difficult for your foreign competitors. Cozy up to your local Party officials!

------
tzs
> A Privacy Impact Assessment (PIA), which is required under GDPR for data-
> intensive projects [...]

What is a "data-intensive" project?

~~~
BjoernKW
It's probably safe to err on the side of caution and assume that any
application that stores personal data in permanent storage is a data-intensive
application.

------
faitswulff
Does anyone know of US companies implementing GDPR compliance?

~~~
reynoldsbd
Absolutely! Anybody who does business in Europe or even has users in Europe is
subject to this law.

The amount of effort being put into GDPR compliance within my organization is
just staggering. It really makes me think about these kind of laws from a new
perspective, because they cost businesses so much to implement.

(I'm not saying whether GDPR is right or wrong! Just that it's expensive.)

~~~
ryandrake
I would (maybe naively) think that the cost of GDPR compliance would be small
if your company is already safeguarding user data and respecting user privacy.
If a company’s cost is “staggering“ doesn’t that say a lot about its existing
privacy practices?

~~~
sb8244
I'm not sure. I think this is a very absolutist and probably naive way to look
at it, frankly.

For a simple example, let's say you use an immutable data store. What do you
do if a customer wants every info about them redacted, but you did something
like store their IP, name, or email. All common things. Now you must build
mutability into your store and all assumptions that used to be made can be
removed.

This is just a very small piece of something that even a small or medium
company may be using or doing.

~~~
robin_reala
You encrypt the data before it’s stored with a unique key, then destroy the
key when the user requests it.

Doesn’t help for pre-GDPR data but that’s the way you should be building going
forwards.

~~~
reynoldsbd
"We could have done it this way." doesn't pay the bills (or in this case,
doesn't prevent steep fines).

~~~
robin_reala
Sure, it’s always painful to fix existing systems. In the future it should be
no more expensive than business as usual though.

------
woolvalley
Will the GDPR eventually make bitcoin or other immutable public distributed
databases illegal in the EU? Do you have default judgements on thousands john
doe node operators around the world? Will EU ISPs be required to censor any
kind of blockchain node eventually when someone has a GDPR complaint for that
network? Will we arrest teenagers for running ethereum miners on their gaming
computers after all of this?

~~~
wglb
Will any information that enables identification of the individual (or the
other ancillary information spelled out in the article and regulations) be in
the blockchain? If not, doesn't sound like it.

Here is one way to think of this. Any EU citizen has a "right to be
forgotten". If there is nothing in your records to identify that person, the
you don't need to provide that ability.

~~~
ebcode
OK, but what the parent is suggesting is that someone might store someone's
personally identifiable information on "the blockchain", thus making the
entire bitcoin network in violation of GDPR. It's a fairly on-point criticism,
IMO.

~~~
chii
it's not Bitcoin network that's in violation, but the company that owns the
transaction in which the data is in.

let's say I'm a shop and i allow btc payments, but I include the customers
info in the transaction or something to such an effect. then I'm in violation,
and must pay a fine (since I can never delete that info). The network has
nothing to do with this, and nobody else on the network is party to the
violation.

~~~
emilfihlman
So just paying a fine is enough to make the issue go away and the users
privacy is bought out legally?

Now we have a way to estimate the cost and we can just put that on top of the
cost of using the service.

Boom, privacy bought.

You don't realise how absurd GDPR is?

------
maximexx
> Not having a PIA is not an option.

Nice one for the indie developer. It looks like the PIA can take more time to
get right than your actual program..

------
tekism
This is a bit confusing, I have a website and I log IP addresses in my web
server log and I use google analytics, what do I need to do?

~~~
Jakob
The legal ramifications of storing IP addresses didn’t change with GDPR. You
should already have them anonymized since they count as personal data:

Google Analytics
([https://developers.google.com/analytics/devguides/collection...](https://developers.google.com/analytics/devguides/collection/analyticsjs/ip-
anonymization)):

    
    
      ga('set', 'anonymizeIp', true); 
    

Web server (here nginx,
[https://stackoverflow.com/a/45405406](https://stackoverflow.com/a/45405406)):

    
    
      map $remote_addr $remote_addr_anon {
        ~(?P<ip>\d+\.\d+\.\d+)\.    $ip.0;
        ~(?P<ip>[^:]+:[^:]+):       $ip::;
        default                     0.0.0.0;
      }
    
    

Only if you store more data about your customers/users you need to act
further.

~~~
SquareWheel
Are IP addresses actually considered "personal data"? They are how computers
talk to each other. Anonymizing them doesn't make any sense to me.

~~~
s73v3r_
They're anonymized for things like logs. When the computers aren't talking to
each other, the reasons to know the exact IP address are rather minimized. If
you feel you have a real need to do so, then you just need to inform your
users what you're doing.

------
jefe_
I imagine most of it will boil down to this:

Follow OWASP, encrypt in motion and at rest, use key-manager appliance,
implement access logging and store separate from systems, backups of data,
define lifetime of data, physical controls to data storage facilities, access
controls in system, manage multi-tenancy as the situation requires, sensible
password policies / multi-factor authentication, background checks on
employees, train staff on security, perform regular scans, restrict ports,
intrusion detection system, penetration testing, have plans for business
continuity and disaster recovery and practice implementing them, be aware when
third party libraries are being used and have a policy for applying
software/os patches.

------
tekknik
I don’t see this helping at all. The big companies will just get consent and
then it’s business as normal. Sites that can’t comply due to lack of resources
will just block EU access. Really this is just a bullet point for the big guys
and stifling for the small guys.

------
tempodox
I built an app that displays geolocations of tweets on an OpenStreetMap. That
data is publicly available from Twitter and users share their location
willingly, I presume. Will an app like that become illegal, as far as European
tweeters are concerned?

~~~
x0x0
It's unclear. The GDPR definitely covers personal data _even if publicly
available_ , so just because you grabbed it from twitter doesn't make it
kosher.

That said, realistically, I'd have a hard time imagining you would have too
much difficulty as long as you allowed people to delete their data upon
request. If they post something to twitter, the obvious intent is to make it
very public.

~~~
draugadrotten
For a real life example, there is a group of people that collect Facebook
posts and process them through a ML filter which judges if the post contains
hate speech, and if it does, it reports the post to the police, supposedly
after manual review.

Does this processing comply with GDPR? I'm pretty sure none of the people
would allow this processing to take place if they were asked for permission.

~~~
x0x0
My best guess is they will be able to shut this down hard, unless there is
some alternative processing basis to be leaned on. See (6)1 for a list of
potential bases.

So no. Not GDPR compliant in the slightest.

------
klokoman
Unable to direct attack freedom of expression, the spread of informations and
small business, the EU developed another bureacratic layer on top all the
bureaucratic layers already in effect. This layer is pretty hard to comply
with, and requires a lawyer always on retaneir for peace of mind, ensuring
that publishing online is de facto reserved to few players. Every other
interpretation of the law is naive, just like with the cookie law, if they
really wanted to stop the abuses of the big players they could have done so.
Instead they're ruining normal people, because that's the real objective.

------
__ka
>Online identifiers ... is important for developers. It includes things like
IP addresses, mobile device IDs, browser fingerprints, RFID tags, MAC
addresses, cookies, telemetry, user account IDs, and any other form of system-
generated data which identifies a natural person.

What if one exclusively collects telemetry IDs (unique per application), with
which usage stats are sent. To what extent is this personal data? On who does
the burden of proof for 'being able to identify a natural person' fall?

------
trothamel
"The extraterritorial nature of these two frameworks..."

I've noticed that this is something the EU has tried to do lately, to just
sort of push their regulations on the rest of the world. I don't see what sort
of authority they'd have to impose this on citizens of other countries.

I wonder if Europe pushes the issue, if this will be treated like libel
tourism, where US citizens and companies without a Eurpoean nexus will be
explicitly protected from judgements against them.

~~~
breakingcups
It's quite simple. If you want to do business in the EU or with people who
reside in the EU, you need to comply with the EU's regulations.

Don't like it? Don't do business in/with the EU. Then you're free to ignore
their frameworks, rules and regulations.

They are not trying to "impose their regulations on the rest of the world",
they're trying to protect the privacy of their inhabitants. That this leads to
measures that need to be taken by companies doing business with (the data of)
their inhabitants is a side-effect and only logical.

~~~
teeray
If a business decides to opt-out of doing business with the EU as a result,
what measures do they need to take? Would a banner asking "Are you an EU
citizen? Yes/No" suffice? Or would we have to use some kind of Geo IP tool?
How would that defend against EU citizens using a VPN or Tor, and what would a
business's liability be in that case?

~~~
mathie25
Not all organisations will need to be compliant with GDPR. By that I mean, if
your organisation only do marketing in, for example, the US and Canada, only
accepts USD/CAD and they are no legitimate appearance that you do/want to do
business in Europe, you are not required to be GDPR compliant, even if an
european customer goes on your website and purchases a product/service.

If your website accepts Euros, has multiple european languages (e.g. spanish,
german, etc.), you do marketing in Europe, then we can conclude that you
legitimely do business in Europe, you are then required to be GDPR compliant.
This is indicated in one of the GDPR article (can't remember which one)

Edit: fix typos

~~~
wglb
Not quite. GDPR applies to you, a US entity, if you do business with an EU
citizen trading in dollars living in the US.

~~~
mathie25
"[...]Whereas the mere accessibility of the controller's, processor's or an
intermediary's website in the Union, of an email address or of other contact
details, or the use of a language generally used in the third country where
the controller is established, is insufficient to ascertain such intention,
factors such as the use of a language or a currency generally used in one or
more Member States with the possibility of ordering goods and services in that
other language, or the mentioning of customers or users who are in the Union,
may make it apparent that the controller envisages offering goods or services
to data subjects in the Union."

Quote from GDPR, page 5, recital 23 ([http://www.privacy-
regulation.eu/en/recital-23-GDPR.htm](http://www.privacy-
regulation.eu/en/recital-23-GDPR.htm)). I'm no lawyer, but that's the way I'm
understanding it.

~~~
freeone3000
So what, English and French? Those are the two major languages of the union,
but are also the two official languages of canada. Seems like you can easily
get hamstrung on a technicality.

~~~
TheCoelacanth
Those are factors, not hard and fast rules. If you are a Canadian company and
you provide services in English and French, that alone wouldn't indicate that
you are targeting EU users. There would need to be other factors indicating
your intent to target EU users.

------
intrasight
What really strikes me is the fact that we spend so many years getting good at
remembering things, and now we have to get good at forgetting things. Seems to
me that forgetting is way easier than remembering. But I could be wrong.

Was just reading this article which I found very informative:
[http://www.davidfroud.com/does-right-to-erasure-include-
back...](http://www.davidfroud.com/does-right-to-erasure-include-backups/)

------
Oomroo
I can't find a definition of "erasure". Do these count as erasure?:

1) copying a subset of items Y from a set X stored at location A to a new
location (e.g. a new disk or another computer) B, then deleting location A
(e.g. reformatting disk A)

2) storing all information encrypted with per-person keys, then deleting a
person's key

Also how does one prove erasure ?

[https://gdpr-info.eu/art-4-gdpr/](https://gdpr-info.eu/art-4-gdpr/)

~~~
_petronius
I think the key here is to think of this in obvious terms: can you (easily)
recover the data? Are you trying to trick customers/regulators into thinking
you got rid of the data, but really have a secret copy for later? Did you make
a good-faith effort to comply with the law? If your answers are no, no, and
yes, you’ve got nothing to worry about.

Law isn’t, despite what TV would have you believe, a game of pure
technicalities (especially outside the US).

~~~
Oomroo
"can you (easily) recover the data"

This rules out encryption+key-deletion as erasure because while you may not be
able to (easily) recover the data, someone with more computing power could
(now or in the future)

What about old magnetic disks and tape backups ? Even if you erase them they
could possibly be recovered by someone else with the right resources

~~~
Thiez
There literally isn't enough energy in the solar system to run a counter from
0 to 2^256. Computers may still get faster for some time, but in the absence
of new cryptographic weaknesses, 256 bit symmetric encryption can be
considered to be safe from brute-force attacks forever.

There is some trick using quantum computers that could help, but doubling the
key size counters that, putting your encryption beyond the reach of brute-
force once again.

------
YetAnotherNick
What about things explicitly designed in a way that there is no option to be
forgotten. What about commits in version control sites? What about mailing
lists?

From skimming over the spec, it seems that politicians haven't thought about
any other sites than social networks or some other profit making sites. Even
in that case, if some ML system is trained on the data of the customer, do
they have to re-train after anyone invokes right to be forgotten.

------
cloudadic
I think more there developers; it is operational burden for companies. GDPR
discuss about the lifecycle of customer data and trying to draw boundaries
who, how, when, where the user data is going to used.

Our product [https://www.StegoSOC.com](https://www.StegoSOC.com) helps in
automating cyber threat detection. That is also one of requirement for GDPR.

------
h1boo
How is this law okay with international trade agreements? Why doesn't US say
that this (rather fuzzy law) is meant to hurt tech companies which is
disproportionally based there? In retaliation couldn't they come up with some
law that impacts EU businesses?

~~~
PeterisP
It doesn't breach current international trade agreements.

In the long run, however, we'd expect to see international trade agreements
attempting to harmonize these requirements worldwide, and likely include some
mechanism that makes cross-border enforcement easier.

------
Bizarro
Either these laws or will be ignored or more and more business will move out
of European countries to abide by this law, which Europe really can't afford.

I'll happily ignore this law.

~~~
romanovcode
As an EU citizen I will have no problem not using your company if it cannot
even provide basic privacy for me as a user.

~~~
Bizarro
You can make your own decisions about who you want to trust with your data
without that law being in place.

The only thing that law does is wall off Europeans from the rest of the world.

This is the just the beginning of "protection" laws from bureaucrats in
Brussels. You can believe that these laws are there to "protect you", but the
rest of us know better.

Stop letting politicians run your lives, and you'll be better off.

------
mycall
> concept of privacy as a fundamental human right enshrined in law, a
> situation which has no U.S. equivalent.

We do have something about that in the U.S. Constitution.

~~~
balefrost
That deals with your interactions with the government, not your interactions
with other citizens.

------
flavio81
Interesting, i live in a third-world country and we already have a "General
Data Protection Regulation" law in place.

------
cimmanom
Can any suggest accessible resources or courses for GDPR training for software
developers and product managers?

------
ecesena
Typo in the title: GPDR -> GDPR

------
mfoy_
This article is all very well and good, my only concern is that, imagine in a
few years someone wants to find the list of all the laws and regulations and
frameworks and whatnot that they need to comply with to run a truly
international website... where would they find that information?

~~~
kelnos
I think that problem will in some ways solve itself.

Ideally you want to consult with a lawyer to ensure you're in compliance.
Certainly that's what we're doing where I work (we have dedicated in-house
legal staff dedicated to privacy issues who have been taking point on this),
but when you're smaller that can be prohibitively expensive.

Within a couple years, though, I expect any serious commercial or open source
platform available that deals with data to have GDPR-related features. It's
already starting to happen, and hopefully GDPR compliance won't be something
you have to go out of your way to do; it'll just be a normal part of doing
business that everyone understands.

The transition period will likely be rocky, and it's my hope that the EU will
be initially lenient dealing with honest mistakes that companies work to
quickly fix once discovered.

------
JPSchoolSports
There is a fundamental truth that no one seems to accept. But it is the truth,
and the majority of the planet's ignorance of this fact makes it no less true.
(I am not arguing about what is legal or not, or proposing any illegal
behavior, rather just observing that many things legal in the past were
absurd/ wrong or still are in certain places on the planet - eg - women not
being allowed to drive in certain countries. ie. I repeat, I am not arguing
about what is legal or not, I am arguing about the disconnect between reality
and the law). The hard truth: There is no such thing as privacy - it was just
not so apparent until now. I can know whatever I want, you cannot stop me from
knowing the color of your shirt, your bank pin, or seeing pictures of you
naked if they exist. I am free to know whatever I want, and so is everyone
else. When everyone understands that this is in fact the case, then the world
will be a better place. There are lots of interesting topics and conversations
that arise from this (sometimes people call them counter arguments, or try and
tell me that what I am calling for is wrong). I am not calling for anything,
and I understand the ramifications. But most importantly, I am not talking
about how I want to world to operate. I am observing how the world DOES
operate. Einstein did not invent relativity (I am not comparing my (probably
far far lower) IQ to that of Eintein's like you will deflect to as I use this
analogy to get my point across). Einstein merely observed what was there for
anyone to observe, and his observation made the world's societies of people a
better place (because humanity increased it's understanding of existence). I
repeat privacy is a fallacy. I can and will know whatever I want to know. So
will others. Currently people in power have an unfair advantage because they
can know anything about anyone and the rest of us go to jail if we also know
it. The way to level the playing field is to realize this fact, remove the
laws (in theory, that is my proposal, but I don't know how), realize everyone
has a naked version, has been bad, can be taken out of context. In the end,
the importance of context will return and the novelty of nudity (and all other
things (location that abductors can find you, etc) and intimate knowledge will
reduce. But we will all be better off because the difference between the
person who knows your bank pin and the person who steals your money will be
clearly understood. Currently this is not the case. My observation is correct.
Although you will not agree, and be played as a sucker, continuing to fight
for privacy, being ashamed of your past while making yourself more and more at
the mercy of the bullies (I mean governments and information curators like
wikipedia, fb, twit,goog - they are nothing more than storers of user
generated content) that make laws and use them against you. Another
observation that you will dislike me for, but that I ask you to, at the least,
just meditate on, repeating in your head a few times, before dismissing it:
Laws are a cheap substitute for understanding.

------
_o_
I really don't think (and I am developer, I will need to comply) that anything
in GDPR is hard to understand. Treat data from others in same way as you would
treat (and you are treating) yours. You are not selling your personal details
to 3rd parties, you are not keeping painfull pictures of yourself climbing to
garbage bin and doing diving completely drunk, you are not storing them into
pastebin or unsecured databases. You edit them if they are wrong, you delete
them if you don't like them. You dont photo yourself if you dont want to be.
You change the passwords if you suspect someone stole them. The only thing
that GDPR wants from you is to handle others data with same RESPECT as you
handle yours.

Every complaint about it shows that you don't respect others and you dont care
about them. And this is the reason it became legislation.

~~~
njl
If only it was that easy. A reasonable reading of GDPR makes standard web
server logs (which contain IP addresses) a punishable offense, even if you
don’t have a nexus in Europe.

GDPR is a wonderful idea that will be insanely expensive to comply with, act
as a continuous drag on developing new technologies, and end up offering only
nominal protection to end users. This is just going to be another way for EU
regulators to smack around Google and Facebook. They probably deserve it, but
the potential fallout for the rest of us is really going to hurt.

Don’t get me wrong, treating user data with respect is the right thing to do.
But we’re all going to be paying for this overly broad and under specified
legislation for years to come.

~~~
dcosson
When stuff like this comes up it always seems so weird to me that with all the
work that regulators put into this, why can't they at least scratch the
surface of providing some specific examples? Of course there are legal
documents, and maybe some "for dummies" versions written up about it.

But would it be so crazy for these regulators to hire someone who knows
something about commonly used open source software and building web apps, to
help provide a little bit of actionable technical advice? For instance, the
majority of the internet is running on Apache or Nginx, why not have an
official, EU-sponsored blog post explaining "here's how to set up a LAMP
stack, or nginx and rails on a linux server, that complies with GDPR". Of
course they can't cover every obscure language or framework, but it would be a
starting point. And it would probably end up a lot cheaper than having to
investigate and/or penalize people who didn't read the fine print of the law
and/or didn't understand how it translates to actually running software.

Because despite how "simple" this post is saying these laws are, there still
seems to be quite a bit of confusion on this thread, among smart developers,
about questions like whether or not we're allowed to keep collecting webserver
logs in the default format or not.

~~~
srrr
As others have noted: Laws with examples would be to specific to survive fast
technological changes. Laws do mostly contain the 'spirit' of the idea and are
applicable to many different situations and times.

But the European Commission does gives examples:
[https://ec.europa.eu/info/law/law-topic/data-
protection/refo...](https://ec.europa.eu/info/law/law-topic/data-
protection/reform_en)

This is of course no nginx configuration. But the thing is.. there is no one
size fits all example configuration. The situation depends on: 1) What do you
use the data for? 2) How long do you really need it? 3) Can you securely
handle it? 4) Has the user consented?

Saving ip adresses in log files can be fully complaint IF you only use them
for legal reasons (sue an attacker, ...), have severe access restrictions on
the files, delete them as fast as possible and get consent from the user prior
to saving the logs.

It depends on your goal, workflow and abilities if you are allowed to store
this data, and you must decide for yourself. If in doubt.. don't store it.

~~~
naicuoctavian
>Saving ip adresses in log files can be fully complaint IF you only use them
for legal reasons (sue an attacker, ...), have severe access restrictions on
the files, delete them as fast as possible and get consent from the user prior
to saving the logs.

You do not need consent for saving the IP, user agent and URL (including GET
values) in Apache logs because, as someone said above, you have a "legitimate
interest to combat fraud and maintain information security".

Legitimate interest and consent are only 2 of the 6 legal bases under which
you can collect and store (process) personal data. Art. 6 contains all 6
[https://gdpr-info.eu/art-6-gdpr/](https://gdpr-info.eu/art-6-gdpr/) .

------
_o_
I will show you another case, company that isnt "bitching" over laws that are
good for all humans not just EU and does the right thing, you know backblaze,
right?

"The changes that are being made by companies such as Backblaze to comply with
GDPR will almost certainly apply to customers from all countries. And that’s a
good thing. The protections afforded to EU citizens by GDPR are something all
users of our service should benefit from."

[https://www.backblaze.com/blog/gdpr-
compliance/](https://www.backblaze.com/blog/gdpr-compliance/)

Get it? It is shamefull what a couple of technological leeches did to basic
human right for their profit, not to mention turning the whole internet into
clickbait maze. Stop complaining, it is right thing to do, like it or not.

~~~
jlnthws
So nice to see progress in privacy but please someone explains how GDPR will
help EU startups!

GDPR is inevitably going to hinder any new company forced to abide by it. So
the next Uber/Wechat will first flourish in US/China/Russia and then come to
the EU, not the other way around.

Entrepreneurs / investors also want their time & money to be used to build
value first rather than solve yet another accidental complexity that is
irrelevant until your revenue model is proven.

What am I missing? Is GDPR implementation cost marginal?

~~~
kelnos
I wouldn't say marginal, but it is a lot easier to implement GDPR if you do it
up-front, from day one. If you start off with a policy of just not collecting
or storing information unless you've made a conscious decision that you really
do need it, that's a _huge_ start. From there, you your main obligations are
to ensure that any personal data you _do_ collect can be deleted at a
reasonably granular level, and that you document your policies around data
storage.

Is it free? No. But if you're spending a significant amount of time on it as a
new startup building from scratch, something is very wrong.

And hell, if you started a company recently, you were given the chance to
catch up to the incumbents in your market while they've slowed down to
retrofit all their systems for GDPR compliance. ;)

~~~
number6
The GDPR is not that far from existing laws in the EU. So EU company have a
headstart

------
s73v3r_
Good. We've needed a change in how we do things for a long time now.

------
_o_
One more interesting thought. If you are using ad provider/tracker/data
reseler X/... located in USA which is GDPR compliant and is doing bussiness
with EU, and you are feeding them with toxic information you didn't get
consent for, the EU can pick on them. As you have damaged their bussiness they
can sue you. In USA.

~~~
jacquesm
This is not a very realistic scenario. Every ad network has extensive
scrubbing on their input side to ensure they do not ingest doctored data.

~~~
_o_
I am more into USA state of thinking, money justifies everything. So I have
mentioned it as a bussiness model. ;)

------
dingo_bat
As always EU regulations are efficiently point out why Europe will always be
an inferior place to do business compared to America. I guess at least Brexit
is making more sense now.

~~~
NullPrefix
UK will also comply with GDPR.

------
gaius
It won’t change the way I develop because I was never a data-stealing
sleazebag in the first place. But I hope it drives Google and Facebook out of
the UK/EU for good.

~~~
mark_edward
Wholehearted thanks for people like you!

------
drraid0
It seems that since the gpdr requires deletion of data upon user request,
companies will not be able to send recall notices when, say, a medical device
starts killing customers.

~~~
Xylakant
The GDPR does not require deletion of all user data on request. There’s still
data that can and must be preserved, for example business records, thus
records of sale. A recall should be possible with those records. The customer
might request that these records cannot be used for unrelated purposes,
though.

~~~
drraid0
What if the user requests to be put on a do-not-send list (for email
newsletters, etc)? Is that data that can and must be preserved?

~~~
Xylakant
You’re generally allowed to keep data that is required to provide a service.
So in my understanding, yes, if you provide such a service and the user
requests that, you should generally be allowed to keep that info _for exactly
that purpose_ You can’t use it for anything else though.

------
emilfihlman
I see this as a huge blow to privacy.

Every service will now just have a clear "give us all the rights or gtfo" and
publish everything to public encrypted.

The user has allowed their private data to be published and the service has no
obligations anymore.

------
jakeogh
The US withdrawing from the TPP was a (very) good thing:
[https://www.taylorwessing.com/globaldatahub/article-the-
tpp-...](https://www.taylorwessing.com/globaldatahub/article-the-tpp-take-on-
personal-data.html)

The EU's war on memory is concerning. It will be used as cover for their
social engineers. Misinformation campaign didn't work out? Ah, delete it!

~~~
3pt14159
Please. Enough with the groundless conspiracies. There are no misinformation
campaigns coming out of the EU or any other liberal democracy.

~~~
jakeogh
And we definitely don't stage psychological warfare officers in major news
organizations.

