Anyone else here who needs to deal with GDPR on the software level? I'll go nuts until we're compliant in every aspect.

I've been developing a consent library for the last few days. It even automatically links expressions of explicit consent to current screenshots of the relevant forms (because you need to do that too), and past records are immutable. Well, unless the whole database gets fucked somehow, then it's not.

@DLMousey DB schema doesn't matter. There's a lack of proper resources so read the ones for marketing people. There are a couple good checklists out there.

For consent now I'm storing: date, subject matter of consent, given or declined, screen (reference to a stored screenshot with some meta about the form at the time of the action), was explicitly given or implicitly assumed (latter is rarely applicable but could happen).

For each user, there's a history of these actions that can only be appended to, and the last entry decides is they consent to the given thing or not at any given time.

Consent is freely given, informed and explicit, and can be taken back as easily as given. For example if you have a sign up form that has a pre ticked box for receiving marketing emails, that's bad. If you have yes/no without pre selection, and you describe what the offering is, that's good.

@DLMousey what do you mean about reconstructing the data? That's new for me. Of course you need to reconstruct your data because your system uses it 😀 do you have a resource on what that means?

@DLMousey I think that's for pseudonymized data, so if you do that to make parts of your data go outside of the regulation, it shouldn't be possible to reconstruct PII from it. Because that would mean it's not really pseudonymized.