There's certainly no need to panic. The article doesn't address that apart from mindless hysteria there are some very real issues with GDPR. It doesn't have to of course because as the title suggests it's more about dispelling panic than about giving concrete advice.
However, many real-life problems seemingly haven't even been considered by legislative bodies. In GDPR support forums questions like these have been routinely asked in recent months and there isn't always a clear, dependable answer:
- How will I be able to operate my small company website in the future in a legally compliant manner? Some companies even consider shutting down their websites completely and - of all things - only using a Facebook page in the future. Hence, ironically we might very will see GDPR actually benefitting companies like Facebook at the detriment of small companies that consequently won't have complete ownership of their content anymore.
- How exactly does a privacy policy have to be worded so I don't get sued on day 1?
- In which way will I still be able to store address data for contacting my existing customers?
- Will I still be able to use anti-spam and security plugins for my website? These tools might store users' IP addresses, which in some jurisdictions are considered personal data.
- Can I still load resources like Google Fonts from CDNs or do I now have to host those myself?
Run your small company website without gathering personal data?
No-one can sue you now, that couldn't before. I'm baffled that so many people believe this. I could complain about you to my country's regulation body. Then they could decide to audit you, and for a first offense issue a warning.
If you need the address data for marketing only, and you didn't get an explicit (opt-in) yes to receive marketing, then sorry. Get that explicit opt-in yes in the next week, or delete the data.
If you need the address data for other reasons, for example fullfilling your contract with the customer, or tax records, then keep it. But _only use it for those real reasons_. No free marketing lists. Sorry.
Storing an IP for a limited time for security reasons is fine. Have rules in place for how this data is used and when it is deleted. Don't keep it longer than nessescary.
Google seems to think you can still use Fonts. They also seem to think like they will be the data controller, and not data processor, for any user data they scoop up [1]. This seems a bit weird to me. This is the only one of your questions that I'm really not sure about. If it was me, I would just host the font locally so I was sure.
I liked the aisle, but have a lot of issues with it. This is one of my main ones: IP addresses and information security. Quoting you:
> Storing an IP for a limited time for security reasons is fine. Have rules in place for how this data is used and when it is deleted. Don't keep it longer than nessescary.
How long is necessary? What does limited mean? Does a regulator now get to determine what sort of algorithms I can use to protect my assets? Advanced persistent threats (https://en.m.wikipedia.org/wiki/Advanced_persistent_threat) can exist over a very extended--and arbitrary time period! I'm in the security software industry, and we and our customers need to detect and react to these threats. That requires data which you simply cannot obtain an opt-in for. Sure, you put that in a posted privacy policy, but if you can only keep the data for 30 days, this means actual evidence of a crime might need to be thrown out.
As long as is needed for the stated purpose. If you're doing IP-based rate limiting with a 1 hour window, it probably doesn't need to still be in your systems >12 hours from now. If you're doing longer term IP reputation or something, keeping it around longer can probably be justified.
> What does limited mean?
The same. Long enough to serve its purpose, and no longer (without justifiable exception, such as being evidence of an actual crime, etc)
> Does a regulator now get to determine what sort of algorithms I can use
Not really, any more than they already do.
"Not guilty, Your Honour; you see, we do store people's HIV status against their real names on the public blockchain, but don't worry, it's ROT-13 encrypted! Twice!"
Also, remember that it's not really the IP that you care about (from a privacy perspective). An IP+timestamp is a very discerning selector, if you have any other data at all.
Nobody knows that '192.168.1.1' is actually me. And even if they did, does it really matter?
But maybe they know that only $IP hit /orders/confirm within 5 minutes of some other system recording that $ME placed an order with other details.
From a privacy standpoint, it's your ability to cross-correlate that IP and whatever else you know about it that could allow identifying and tracking/profiling the actual person using it.
Suppose your marketing dept asked you to scan the last few weeks of security logs to see if you'd had any hits from ranges belonging to $BIGCORP who you're in tense negotiations with? Is that Ok? Or would you refuse because the security logs are collected exclusively for certain purposes of which that isn't?
what value do you get from keeping them for years? Are you actively analysing and re-analysing them for any particular purpose, or is it more of a 'well, you never know...' sort of deal?
"they change often" is arguably a good reason for not keeping them. What advantage do you get from knowing that 10 years ago $IP was sending you spam if it's been though 20 different re-allocations and tens of thousands of 'actual owners' since then?
Imagine if google or cloudflare were logging every since query to their public DNS and correlating it with other access logs or google analytics or whatever. They'd be able to relatively trivially deanonymise huge numbers of actual people's identities and browsing history (beyond what they can obtain already).
That is not true, GDPR is a law, and in the past most EU countries did not have such stringent requirements. You couldn't be sued (Edit: i mean by the DPA).
My point is that you won't be sued for the GDPR. What might happen is that a complaint is raised with the regulatory body. This is not the same thing as being sued.
1) Respond to requests about removal of personal data, do not sell data, inform about data leaks and handle them, if outsourcing, check compliance.
2) Any item that is not legal there will be just void in court. You cannot be sued about an invalid legal policy, but only after breaking the law. The policies do not subsume law.
About the only thing you need to publish is which data is collected, how it is processed (and by whom if outsourced), for how long (if applicable) and how to remove it.
3) Uh, as usual complying to the law for PII handling?
4) Yes, if they are GDPR compliant. Make sure to put them in you privacy policy.
1.) That "if outsourcing, check compliance" part isn't trivial, though. Some suppliers still don't provide data processing agreements. For example, as of now it seems like I won't be able to use DocuSign for digitally signing contracts anymore because they seem to not understand what the new laws implies for them and consequently don't provide a DPA. The last time I checked competitors didn't do so either. It's good that companies have to check their processes for privacy compliance but if that disrupts a company's operations with no real remedy other than falling back to paper-based processes that's definitely a problem (admittedly in this case not one that could be solved by legislative bodies)
3.) No, unfortunately it isn't that easy. Some people - lawyers even - argue that merely someone contacting you via email or handing you a business card doesn't necessarily constitute legitimate interest on your part to process their contact data for the purpose of contacting them in the future. I disagree with that opinion but that people are even arguing about this shows that this isn't just business as usual.
5.) You could argue that this has the potential for breaking how the web has worked until now. If you now have to check for legal compliance first each time before merely linking to an external resource (because that might reveal the user's IP address) that simply doesn't scale. Linking to and drawing upon external resources arguably is what makes the web the web.
I think this lack of implementation clarity is definitely a problem, as it is with CE marking; the legislation sets out "principles", but there's a lot of interpretation that has to be done between those and specific real details.
>How will I be able to operate my small company website in the future in a legally compliant manner?
Maybe you shouldn't operate your company if you can't comply, then. The entire point of the GDPR is elevating privacy as a priority. If that means companies that can't or won't compy can't operate, so be it. People always claim to be pro-privacy, and that means putting privacy above commerce, in the same way that a restaurant that can't or won't meet safety and sanitation regulations shouldn't operate.
If safety and sanitation regulations were as heavy-handed as GDPR there probably wouldn't be too many restaurants.
The point of GDPR indeed is elevating privacy as a priority. Good intent however doesn't automatically entail that the implementation has been equally good.
The EU Justice Commissioner only recently has been quoted that she herself could implement the rules required by GDPR. At the same time the European Commission's very own website isn't even remotely GDPR-compliant. That's just arrogant and condescending.
However, many real-life problems seemingly haven't even been considered by legislative bodies. In GDPR support forums questions like these have been routinely asked in recent months and there isn't always a clear, dependable answer:
- How will I be able to operate my small company website in the future in a legally compliant manner? Some companies even consider shutting down their websites completely and - of all things - only using a Facebook page in the future. Hence, ironically we might very will see GDPR actually benefitting companies like Facebook at the detriment of small companies that consequently won't have complete ownership of their content anymore.
- How exactly does a privacy policy have to be worded so I don't get sued on day 1?
- In which way will I still be able to store address data for contacting my existing customers?
- Will I still be able to use anti-spam and security plugins for my website? These tools might store users' IP addresses, which in some jurisdictions are considered personal data.
- Can I still load resources like Google Fonts from CDNs or do I now have to host those myself?