zlacker

>>grabeh+(OP)
Exactly. People try to explain to me how it is impossible to comply and usually it turns out that it would be easy. I think the problem most of time that people misunderstanding the requirements or not reading GDPR (not even TLDR versions).

>>Stream+Y
It is easy if they believe particular person's interpretation. But that doesn't mean they are right. People have huge problems with interpreting written word if it is not written without a room for interpretation and if you add to the mix bureaucrats that have targets to meet you'll see it will not be easy at all.

>>merino+m1
Am in EU, am involved in some compliance stuff and have talked to plenty others at other companies, and it really does seem to be a nothing-to-see-here for all companies except the sleezy ones.

>>willva+E1
In all of my research, talking to lawyers, and seminars on GDPR, it is about:

1. Ask permission for collecting data

2. Keep sensitive data safe

3. Restrict access to said data

4. Keep a log of what happens with the data

5. Delete it upon request

6. Have all of the above documented and adhere to the protocol.

It's such a none issue unless you're relying on the very thing GDPR is designed to combat. If you not collecting and selling peoples data, and you don't do the above already, see this as a good opportunity to do what you should have been doing all along. There is such an awareness now, that it's the easiest it has ever been to know how to handle sensitive data properly.

>>hvidga+u2
Completely agree with everything you list, and would add that 6. you can't force a user to give up privacy in order to get some other benefit, e.g. you can't offer to unlock some feature in return for more tracking

>>willva+R2
Example: How do you ask user for a permission to log access logs (which contain IP address) in the server, so that you can detect spam, ddos and other attacks? How do you store that consent information and what do you do if user doesn't consent? What do you do if user connecting from given IP address wants you to send him data you have collected about him. If people share IP addresses how do you know which log data is about which person?

>>merino+y6
> How do you ask user for a permission

Why do you think permission is required?

>>DanBC+T8
Because that is personal information that is being stored and processed.

>>merino+aE
https://ico.org.uk/for-organisations/guide-to-the-general-da...

https://gdpr-info.eu/art-6-gdpr/

> Processing shall be lawful only if and to the extent that at least one of the following applies:

Consent is one:

> the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

Here are all the others (see especially the last one):

> processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

> processing is necessary for compliance with a legal obligation to which the controller is subject;

> processing is necessary in order to protect the vital interests of the data subject or of another natural person;

> processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

> processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.