However, many real-life problems seemingly haven't even been considered by legislative bodies. In GDPR support forums questions like these have been routinely asked in recent months and there isn't always a clear, dependable answer:
- How will I be able to operate my small company website in the future in a legally compliant manner? Some companies even consider shutting down their websites completely and - of all things - only using a Facebook page in the future. Hence, ironically we might very will see GDPR actually benefitting companies like Facebook at the detriment of small companies that consequently won't have complete ownership of their content anymore.
- How exactly does a privacy policy have to be worded so I don't get sued on day 1?
- In which way will I still be able to store address data for contacting my existing customers?
- Will I still be able to use anti-spam and security plugins for my website? These tools might store users' IP addresses, which in some jurisdictions are considered personal data.
- Can I still load resources like Google Fonts from CDNs or do I now have to host those myself?
No-one can sue you now, that couldn't before. I'm baffled that so many people believe this. I could complain about you to my country's regulation body. Then they could decide to audit you, and for a first offense issue a warning.
If you need the address data for marketing only, and you didn't get an explicit (opt-in) yes to receive marketing, then sorry. Get that explicit opt-in yes in the next week, or delete the data.
If you need the address data for other reasons, for example fullfilling your contract with the customer, or tax records, then keep it. But _only use it for those real reasons_. No free marketing lists. Sorry.
Storing an IP for a limited time for security reasons is fine. Have rules in place for how this data is used and when it is deleted. Don't keep it longer than nessescary.
Google seems to think you can still use Fonts. They also seem to think like they will be the data controller, and not data processor, for any user data they scoop up [1]. This seems a bit weird to me. This is the only one of your questions that I'm really not sure about. If it was me, I would just host the font locally so I was sure.
1: https://github.com/google/fonts/issues/1495#issuecomment-382...
> Storing an IP for a limited time for security reasons is fine. Have rules in place for how this data is used and when it is deleted. Don't keep it longer than nessescary.
How long is necessary? What does limited mean? Does a regulator now get to determine what sort of algorithms I can use to protect my assets? Advanced persistent threats (https://en.m.wikipedia.org/wiki/Advanced_persistent_threat) can exist over a very extended--and arbitrary time period! I'm in the security software industry, and we and our customers need to detect and react to these threats. That requires data which you simply cannot obtain an opt-in for. Sure, you put that in a posted privacy policy, but if you can only keep the data for 30 days, this means actual evidence of a crime might need to be thrown out.