There is no such regulation. We're a B2B French company, based in Paris, and there's only one user interface language (English) that even our French customers have to use. Even for B2C, there are no language regulations.
For public and almost-public organizations, there is a regulation: you can communicate in exactly one language (French) or at least three languages (usually these will be English and German).
On the other hand, trying to sell to the average French person will require a French translation, and the same is probably true for most other EU countries if you wish to improve your chances ("have a translation in that language" is likely in the top 5 of improvement suggestions for a new market). 300 million people sharing the same language is a boon, especially for B2C or B2SMB.
Those 300 people also share similar culture, likely speeding up adoption through word of mouth.
Since I mostly consume english, US-centric media, I wonder how high the marketing effect even outside the US is for services that launch in the US first.
The last heavily traffic site I worked on wouldn't perform an A/B test unless they could experiment with tens of thousands of daily active users. The experiments would last 2-3 weeks to gain statistical significance. A page usually had a 70/30 control experiment split.
The challenge is gaining statistically significant data. I think it is easier for an early stage customer to talk to their customers versus go through the time of a split test.
I interpreted it the same way too. It looks like Elon Musk and Mark Zuckerberg wrote those summaries. It is blurring the lines between prototype and product.
I got tired of executive doublespeak. The company made lots of promises during recruitment that never materialized. It has made me super aware of the importance of culture. I haven't found any full-time positions that fit me yet. In the meantime, I am taking a break from corporate life and freelancing.
I find it hard to feel sorry for her. This is what happens when you only live in the moment. Going to grad school out of the country is exciting. However, doing it without any research on your loans was dangerously impulsive. She didn’t state the reasons, but I would guess it was to impress or stay with friends.
I lost all sympathy when we she decided to live in one of the highest cost of living cities in the world. It is a simple choice. Delay satisfaction or live outside your means. She displayed a consistent pattern of living outside her means. Don’t be surprised when you realize that you’re not rich and these actions have consequences.
"When I was 18, I fully believed that taking out student loans was the only way to achieve my dream and my parents’ dream for me — to transcend my working class upbringing."
Congratulations on the launch. Some constructive criticism. Give your website some design love. It doesn't look like a company website. It looks like a side project right now. If I came across this site on my own I wouldn't even think about entering my credit card info.
I hope this doesn't come across as too harsh. I sincerely wish you the best!
I am guessing the pitch went "It is like Uber for code review" /s
Seriously though, I am curious if the quality will remain high as they scale. I wish them luck. I would bet one of the big players acquires them within 1-2 years.
This article [1] explains an important distinction between backups and archives.
"Backups exist in case information is accidentally destroyed. Backups should cover all information, but each one only needs to be kept for a short time: essentially however long it will take the organisation to discover the destruction. … Archives, by contrast, involve long-term storage of the organisation's history."
It concludes that it's probably not necessary to delete data from a backup — just keep a record of what requests for deletion were made, in the rare event that restoration from a backup is necessary.
And avoid storing personal data in archives, or else split it out by-person, so it can be deleted if required.
I’m not so sure about that multiple other vendors have or are in the process of implementing GDPR aware backups EMC/Dell allows you to flag records that will be purged from your backups and Microsoft is implementing pseudoanonymous backups for SQL.
Sure if your backup is only weekly or monthly until the next full one it might not be an issue but many companies keep full backs that span years and even decades.
Just one more point of data the GDPR doesn’t actually define a difference between backup and an archive.
The article you’ve mentioned is essentially an untested legal argument that you may use in court if something happens or if the regulator audits you.
But all of these arguments have not been tested yet in court and there is a lot of contradictory advice on essentially every part of the GDRP even at the most reputable levels (at this point ask the top 5 law firms in the UK and you’ll get 7 opinions).
I'm not a lawyer, but that seems like it is open to too much interpretation. I feel like these laws only hurt the little guy. I can't even imagine all of that data that companies pass through third parties, like analytics services. It will be interesting to see how it all shakes out.
Fortunately, I don't have to do deal with it any time soon since I don't do currently do business in the EU.
Larger companies are much more used to dealing with regulatory requirements.
They have huge legal teams and can hedge their risk and they have a relationship with the regulators.
Legacy software is actually a huge plus for the GDPR currently people might laugh at companies that run MSSQL or Oracle but all the major storage and backup solution vendors support record level backups for the database which means that it's easy to purge or anonymise a purged record, it also means that dealing with backups is now a turnkey solution from the likes of EMC.
A small company that run on flavor of the week DB and uses tarsnap for backup might have a much harder time figuring what is what.
Heck there are plenty of small companies that have an IT team of like 2-3 people that handle personal data for 100,000s
of people and it might not even know where all of it's backups are.
"How sure you are that that seagate drive in the back of the closet doesn't have a copy of your database form 2 years ago?"
And most importantly small companies don't have the resources nor the knowledge on how to handle information requests under the GDPR.
I laughed about the idea of having launching handling the information requests as a service platform if I was crazy enough to come up with a way to actually make it work under the GDPR.
When I think of the GDPR what I see is potentially a lot of companies getting screwed over because they don't know any better as regulation of this extent usually only involved giants.
Say you are a company of 15-20 people you get a letter like this: https://www.linkedin.com/pulse/nightmare-letter-subject-acce... What are you going to do? Do you have a data protection and a privacy officer? probably not.. so now it's another hat that some one in your company needs to wear and I really pity the person who'll take this level of legal responsibility on themselves without having the right background, training support and more importantly time.
While this letter might not be pleasant such a letter would be a breeze to many large companies I work for a US financial institution (based in the UK).
This isn't any different than some letters we might get from a regulator or a customer/partner and there is essentially a production line overseen by both inhouse and external legal counsel.
There is a CIO and there privacy officers and compliance officers and champions in each department / team the entire process is essentially automated in an internal ticketing system which will go through a pre-defined workflow and invoke the right people and automated resources (e.g. data discovery), heck for like 90% of those questions we would have premade answers which were signed off by compliance and legal that are maintained upto date.
If you work for a small company and you don't have all these processes set up, you don't have legal counsel I really feel bad for you this isn't something that you can just wing it.
These large legacy companies were working on their GDPR compliance for years any company with a risk department with a pulse would've kicked of a steering committee / SWAT team in March of 2014 as soon as the initial draft was passed and kicked into full gear in 2016 when the final version was approved if not earlier.
I'm willing to bet you that there is a non-negligible number of small companies that didn't do anything as of april 2018 and many more that their GDPR preparation was having a few dev/devops folks sit through a webinar.
I'm really hoping that neither the former or the latter is the case for you but in case your statement "Sure, there is some hassle but we’ll be able to adjust with a few weeks of work." wasn't in tongue and cheek you have less than 50 days to prepare as the GDPR comes into effect on the 25th of May.
> If you work for a small company and you don't have all these processes set up, you don't have legal counsel I really feel bad for you this isn't something that you can just wing it.
But that is exactly the point. If a smaller company does not have the resources (both costs and competence) for something like this, then they should not be handling personal data at all. How would the same excuse sound if they don't have the resource to even secure personal data? Being too small is simply not a valid excuse.
At a medium sized company, every single engineer received a hour’s worth of training on GDPR and teams were created to oversee implementation and compliance since 2016. GDPR definitely benefits big companies.
I imagine it is a non-linear graph. A really small company can probably assign someone to through the backups, unpack them, delete the user, re-backup everything mostly by hand. I assume a small company also means less data here. A medium size company that has more customers, and a more data collected might be at a bigger disadvantage. Not big enough to have a dedicated team on this task, and not big enough for a large legal department, but big enough to be swamped by requests and not process them in time and so on.
It's not that simple because there isn't a single type of small company.
Let's take 2 examples:
1) A small startup that has 20 employees have been around for say 2 years and likely have been serving a fairly small number of customers for a fairly limited amount of time say 6-12 months.
They are both technically capable and small enough to maybe adapt without breaking too many laws.
2) A small retailer/speciality trader with 8 employees that has been in business for 30 years, has digitized records from the 90's has been taking orders via the phone for that duration and had a computerized ordering system singe the mid 90's.
They operate their own website on some ecommerce platform and do all the books, accounting and billing in house via some SMB accounting software e.g. Sage Books/Accounts/50 etc....
Over those 30 years they might have collected information from 10,000's or even 100,000's of individuals.
Number 2 is the real problem because these types of companies outnumber the tech bootstrapped startups what a 100 to 1? 10000 to 1? and there are plenty of small businesses that never really grow beyond their immediate market but still are successful enough to remain in business for decades.
On May 25th I can send a Subject Access Request letter to my fucking dry cleaner and they will be legally obliged to handle it within no later than one month, if that isn’t a kicker the I don’t know what is.
The right to demand deletion has actually been the law for several years now. I run a small online retailer with a few thousand customers. In 10 of business, I’ve seen one or two such requests. It takes about half a minute to anonymize the data we store.
Most lawyers seem to be advising the opposite, though, and say that backups are ok - do you have some knowledge here, or are you arguing the spirit of the law?
Backups are fine because they are short-lived. You obviously have a reasonable amount of time to implement a request for deletion, say a week or two.
If you are keeping year-old “backups”, that’s actually an archive. The difference shouldn’t be too difficult to understand because year-old data is obviously useless if you have restore your database.
It really depend on your reasons for retaining the backups in the first place.
GDPR forces you to be able to articulate why you collect or process regulated personal data.
If you provide a service that collects or processes data for fair and transparent purposes, you'll be ok.
Under Article 17, the right of erasure, you're only obligated to delete upon request of the data subject, and only in certain circumstances, the most common being:
- If the data are no longer necessary for the purposes for which they were collected
- If the legal basis for the processing was based solely on consent and no other legal basis exists
- If the processing was based on the balancing test of your "legitimate interests" outweighing the data subject's interests or fundamental rights and freedoms (such as for security or availability), the data subject objects, and your interests don't override theirs
- If you are processing for direct marketing and the data subjects at all
If you're a SaaS provider and they are necessary to meet your availability commitments to your customers, and you can document that necessity, then you're probably going to be able to retain them even if the data subject objects. Data subjects rights are not absolute.
If you're retaining the data for marketing, or based on consent alone, you're going to have to delete them or have a very good excuse for not doing so. If you don't have a great reason, you should probably delete them anyways, or better yet avoid collecting the data in the first place ('data minimization,' Article 5(1)(c)).
