Why do you think GDPR is some boomer with filofaxes thing?
I'm young enough to be born at about the introduction of the original Mac and have worked with ecom for a long time now and GDPR from my perspective is an excellent law with the exception of some lacklustre enforcement.
Our clients all cleaned out their already collected data, they implemented deletion, and extraction/change-on-request by customers, they limited their tracking and data collection among many other things.
Not only was it an immediate privacy win for their customers, it made further development easaier because we did not have to deal with as much data, and it also protects the clients in the event of a data breach since there is less customer data to lose.
"Why do you think GDPR is some boomer with filofaxes thing?"
I handle the GDPR compliance for my company so I've had to get stuck into the topic. Once you start actually trying to apply the various definitions and rules to the real world, they quickly break down. Examples:
1. The core concept in GDPR, personal data, is defined sloppily: "data relating to an identifiable natural person". It doesn't work because "relating to" is a hand-wave. Your name is obviously personal data, but (according to mainstream legal interpretation) so are IP addresses, despite the fact that people do not have IP addresses, network interfaces do.
2. Personal data is not defined in terms of the context in which it appears, which is crucially important. If I have the text "John Smith" in a database in a column called "name" and it actually relates to a person called "John Smith", that's clearly personal data. But what if someone uses my platform to spin up a VM with the hostname "johnsmith" - is that personal data? According to my lawyers, the answer is "maybe". I know lawyers have a tendency to be like that, but the law itself shouldn't leave the question open.
3. The construction of the law is poorly thought-out and leads to silly contradictions, e.g. if you have someone's personal data and you are told to stop processing it, you must stop processing it. But storage, erasure and transmission are all classed as processing, and it's logically impossible not to do at least one of these things.
All that being said, I'll repeat that I fully agree with GDPR's objectives and I think its real-world impact is positive. I just wish more people who understand how computers work had been involved in drafting it.
> so are IP addresses, despite the fact that people do not have IP addresses
And car registration numbers and passport numbers and street addresses are also personal identifiable information despite the fact that people does not have those either. Just like IP addresses. This is a good thing.
> Personal data is not defined in terms of the context in which it appears
This is a good thing because it closes a dozen loopholes and allows good-faith actors to remain on the right side of the law without much effort.
> if you have someone's personal data and you are told to stop processing it, you must stop processing it. But storage, erasure and transmission are all classed as processing, and it's logically impossible not to do at least one of these things
This just shows a poor understanding of the law, or you are just hand-waving things you have no knowledge about. This is not how the GDPR works. At all.
> And car registration numbers and passport numbers and street addresses are also personal identifiable information despite the fact that people does not have those either. Just like IP addresses
The analogy doesn't work. A passport number is always "of" a person, because passports are issued to people. An IP address is often, (even usually, for IPv4), far-removed from an individual. Also see M95D's response above: "no it's not". You're confident that there's a good reason why an IP address is personal data and he's confident it's not personal data. This is what I mean when I say it's a poorly-written law.
> This is a good thing because it closes a dozen loopholes and allows good-faith actors to remain on the right side of the law without much effort.
Fair enough; in my opinion, ambiguity and hand-waving in legislation is too high a price to pay, and is also unnecessary. It's literally their job to codify the rules rigorously.
> This just shows a poor understanding of the law, or you are just hand-waving things you have no knowledge about. This is not how the GDPR works. At all.
I know my example isn't a real contradiction (and see also M95D's response in which he points out how the rules actually apply). I'm giving an example of language and terminology in the law which is on its face confusing and sloppy.
> 1. The core concept in GDPR, personal data, is defined sloppily: "data relating to an identifiable natural person". It doesn't work because "relating to" is a hand-wave. Your name is obviously personal data, but (according to mainstream legal interpretation) so are IP addresses, despite the fact that people do not have IP addresses, network interfaces do.
No, it's not, unless you have logs or database records that links the IP address to a person (such as a login from that IP). And I bet you do, that's why it bothers you.
> 2. Personal data is not defined in terms of the context in which it appears, which is crucially important. If I have the text "John Smith" in a database in a column called "name" and it actually relates to a person called "John Smith", that's clearly personal data. But what if someone uses my platform to spin up a VM with the hostname "johnsmith" - is that personal data? According to my lawyers, the answer is "maybe". I know lawyers have a tendency to be like that, but the law itself shouldn't leave the question open.
Users can leave data that identifies them in various places. Sometimes they do it intentionally, sometimes not. It's your job to warn them and obtain consent.
3. The construction of the law is poorly thought-out and leads to silly contradictions, e.g. if you have someone's personal data and you are told to stop processing it, you must stop processing it. But storage, erasure and transmission are all classed as processing, and it's logically impossible not to do at least one of these things.
> No, it's not, unless you have logs or database records that links the IP address to a person (such as a login from that IP). And I bet you do, that's why it bothers you.
Nope, the scenario is which this came up for me was about keeping IP addresses in a blacklist in a firewall. No logs or linking or anything.
> Users can leave data that identifies them in various places. Sometimes they do it intentionally, sometimes not. It's your job to warn them and obtain consent.
If it's my job to obtain individuals' consent to process their personal data in contexts where they have no business putting personal data, the law is poorly-designed.
Thanks for the info and links, that's genuinely useful. For the record I know my example isn't a watertight logical gotcha; it's an example of how GDPR's language is (IMHO) imprecise and unhelpful.
I'm young enough to be born at about the introduction of the original Mac and have worked with ecom for a long time now and GDPR from my perspective is an excellent law with the exception of some lacklustre enforcement.
Our clients all cleaned out their already collected data, they implemented deletion, and extraction/change-on-request by customers, they limited their tracking and data collection among many other things.
Not only was it an immediate privacy win for their customers, it made further development easaier because we did not have to deal with as much data, and it also protects the clients in the event of a data breach since there is less customer data to lose.