zlacker

[return to "GDPR: Don't Panic"]
1. Bjoern+m6[view] [source] 2018-05-18 09:15:39
>>grabeh+(OP)
There's certainly no need to panic. The article doesn't address that apart from mindless hysteria there are some very real issues with GDPR. It doesn't have to of course because as the title suggests it's more about dispelling panic than about giving concrete advice.

However, many real-life problems seemingly haven't even been considered by legislative bodies. In GDPR support forums questions like these have been routinely asked in recent months and there isn't always a clear, dependable answer:

- How will I be able to operate my small company website in the future in a legally compliant manner? Some companies even consider shutting down their websites completely and - of all things - only using a Facebook page in the future. Hence, ironically we might very will see GDPR actually benefitting companies like Facebook at the detriment of small companies that consequently won't have complete ownership of their content anymore.

- How exactly does a privacy policy have to be worded so I don't get sued on day 1?

- In which way will I still be able to store address data for contacting my existing customers?

- Will I still be able to use anti-spam and security plugins for my website? These tools might store users' IP addresses, which in some jurisdictions are considered personal data.

- Can I still load resources like Google Fonts from CDNs or do I now have to host those myself?

◧◩
2. Astral+E7[view] [source] 2018-05-18 09:30:17
>>Bjoern+m6
1) Respond to requests about removal of personal data, do not sell data, inform about data leaks and handle them, if outsourcing, check compliance.

2) Any item that is not legal there will be just void in court. You cannot be sued about an invalid legal policy, but only after breaking the law. The policies do not subsume law.

About the only thing you need to publish is which data is collected, how it is processed (and by whom if outsourced), for how long (if applicable) and how to remove it.

3) Uh, as usual complying to the law for PII handling?

4) Yes, if they are GDPR compliant. Make sure to put them in you privacy policy.

5) Yes, if the source is GDPR compliant.

◧◩◪
3. Bjoern+N9[view] [source] 2018-05-18 09:53:15
>>Astral+E7
1.) That "if outsourcing, check compliance" part isn't trivial, though. Some suppliers still don't provide data processing agreements. For example, as of now it seems like I won't be able to use DocuSign for digitally signing contracts anymore because they seem to not understand what the new laws implies for them and consequently don't provide a DPA. The last time I checked competitors didn't do so either. It's good that companies have to check their processes for privacy compliance but if that disrupts a company's operations with no real remedy other than falling back to paper-based processes that's definitely a problem (admittedly in this case not one that could be solved by legislative bodies)

3.) No, unfortunately it isn't that easy. Some people - lawyers even - argue that merely someone contacting you via email or handing you a business card doesn't necessarily constitute legitimate interest on your part to process their contact data for the purpose of contacting them in the future. I disagree with that opinion but that people are even arguing about this shows that this isn't just business as usual.

5.) You could argue that this has the potential for breaking how the web has worked until now. If you now have to check for legal compliance first each time before merely linking to an external resource (because that might reveal the user's IP address) that simply doesn't scale. Linking to and drawing upon external resources arguably is what makes the web the web.

[go to top]