zlacker

[return to "GDPR: Don't Panic"]
1. mrleit+s2[view] [source] 2018-05-18 08:30:24
>>grabeh+(OP)
The GDPR gets so much hate because it hits so many businesses where it hurts: data. GDPR "simply" gives you guidelines on how you can handle data from people within the EU. And that that data cannot be handled so liberally as it has been before. Of course that's annoying from a business perspective, but from an individuals privacy perspective, it's fantastic.
◧◩
2. thomas+tK[view] [source] 2018-05-18 15:44:39
>>mrleit+s2
It's not that it's annoying, it's that I literally cannot answer "are we GDPR compliant?". If you search for GDPR IP address, you get a ton of different opinions. Do I need to sanitize logs? How does that fit in with the requirements for security compliance we are also subject to?

At the end of the day, I am the one person who has to answer that question/is responsible for being GDPR compliant. I've spent hours doing research, figuring out what we need to do and implementing it -- and it's a hollow victory because even though I've said yes and have 100s of articles/white papers/opinions that back up the decisions I've made, the real answer is still "I don't know".

And I absolutely know I'm not alone in this. I got GDPR compliance dropped on my lap because I did security compliance -- if you contrast NIST 800-53/800-171 against GDPR you'll see why people are pissed off. One has clear guidelines with enough room for evolving best practices written by obviously competent/experienced professionals, the other is written as basically "we'll know it when we see it".

◧◩◪
3. vladim+c82[view] [source] 2018-05-19 12:46:32
>>thomas+tK
GDPR fundamentally cannot tell whether storing of IP addresses is OK - because it's the processing of personal data for a specific purpose that can be lawful or not, and there's infinite number of possible processing purposes.

For example, if you're a CDN business, and naturally need to fight DDOS attacks, then storing exact IP addresses for all requests for a few weeks easily falls under "legitimate interest" (GDPR 6.1.f). On the other hand, if you're a political news site, then storing IP addresses and URL for the purpose of determining political preferences of people without their consent is very clearly illegal, taking into account that IP address can often be static and so identify specific person.

Yes, it means that you have some decisions to do yourself, and the regulator might disagree with your decisions, but that's true about pretty much every new law, no?

[go to top]