Security quotes of the week

Posted Oct 26, 2018 11:14 UTC (Fri) by anselm (subscriber, #2796)
In reply to: Security quotes of the week by pizza
Parent article: Security quotes of the week

None of those are "purely personal or household activities."

But many of them don't require you to deal with other people's personal data at all, and even those that do generally won't involve your building up massive Facebook-style profiles of your users or sharing their personal data with third parties.

For example, if you operate a mailing list then all the personal data you need to deal with are people's e-mail addresses and possibly one string per user that they designate as their “name”. You don't need to share that data with anyone else. This means that your mandatory privacy statement etc. will be quite brief.

If you operate a web site where you “talk about your commercial consulting or photography efforts”, then unless you have some sort of commenting facility for users the only thing to watch out for are client IP addresses which your web server might log. Again, not a big deal; most web servers support a facility that will truncate or otherwise de-personalise client addresses in their log files. (If your “photograpy efforts” include publishing portraits of people then you need to make sure that the people in question are OK with this, but that would be required even without the GDPR.)

And so on. Of course if you deliberately invite other users to contribute to your site in some fashion then there are more i's to dot and t's to cross, but even that is not exactly rocket science.

Security quotes of the week

Posted Oct 26, 2018 13:26 UTC (Fri) by pizza (subscriber, #46) [Link] (1 responses)

> But many of them don't require you to deal with other people's
> personal data at all, and even those that do generally won't involve
> your building up massive Facebook-style profiles of your users or
> sharing their personal data with third parties.

It doesn't matter if I have no intention of sharing data, or how much "personal" data I (intentionally or otherwise) accumulate. The threshold is *any* data, and the simple fact of the matter is that running any sort of public-facing service will result in accumulating at least some "personal" data (even if just incidental in the process of providing the service) that falls under the purview of the GPDR.

This doesn't include the likes of email logs/archives, and bug tracking -- where "personal data" is routinely sent to me (unsolicited!) by random folks, many of whom do reside in the EU.

Don't get me wrong, I generally agree with the stated intent of the GPDR, but the devil is in the details.... And there are a *lot* of details.

Security quotes of the week

Posted Nov 1, 2018 9:14 UTC (Thu) by richard77 (guest, #117898) [Link]

First step for GPDR compliance enforcement is just a warning from the National agency, to be fined you will need multiple infringements without showing any intention to reach compliance. There will be not GPDR cops giving tickets like it was a speed trap.
The purpose is not to punish random small websites.
Or, if you prefer, you could look it this way: lwn.net has not big resources and they process for sure a lot of personal data of EU nationals and it looks like that there were no notable issues with GPDR.
On the other hand, multiple US newspapers websites blocked traffic from EU because their business model is heavily relying on data harvesting.