15

Raise your hand if your ready for the GDPR on the 25th may.

Raise your glass if your getting shitfaced so you don't have to think about how many ways you're not.

Comments
  • 4
    Meh, I've always been gdpr compliant. It's easy. Don't share user data. Make sure that you have a delete account option.

    Done?
  • 1
    @olback you don't share any data at all? Do you have users express opt in permission to store their data?
  • 2
    @seraphimsystems no, who would I share it with and why? I don't do anything with any user data.
  • 0
    I have no idea what GDPR is about but yeah, I guess I'm fine ¯\_(ツ)_/¯
  • 3
    I've said it before, but gdpr is one of the best things to happen in quite a while from a consumer point of view!

    From a dev point 't of view, it enforces good practices, most of them we should have been doing already
  • 1
    It's an ugly implementation but it's compliant. That's all that counts.
  • 4
    I'm going to raise my glass, and pray to the productivity god we don't receive any deletion request or asked to prove how we obtain consent. Or any of the other tricky question I couldn't even answer because we are a very small company.

    People who say they are gdpr compliant either work in big company with means to do it, imposed crazy process to them already, or don't have a clue about the gritty details.

    It's not only about not sharing data and being able to delete accounts. Not even close.

    Though as a consumer, I'm going to love the GDPR. It's going to be priceless to send mails asking how the hell marketers obtained my mail for a company I never heard of and watch them struggle.
  • 0
    @olback do you collect *any* user data?
  • 1
    @Fradow yeah, it's the documentation trail that will be the downfall of most SME getting in trouble after gdpr activates.
  • 0
    @seraphimsystems nope, not more than the user enters manually. Like username, password and other fields depending on the service.
  • 1
    @olback depends on the "other fields", but for example if you have real name, email or IP, then yes, you do have user data. Just because they enter it themselves and voluntarily doesn't mean you are exempt.

    Off the top of my head you need to:

    - obtain consent in a provable way if it's not data required for the proper functionning of your service

    - allow them to delete it

    - make sure you don't use it for another way than you obtained consent for (for example, don't send marketing mails if they didn't opt-in)

    - have a privacy policy that states what you have and how you use it

    - secure the data (GDPR doesn't say how)

    - be able to document what you did to secure the data

    - be able to document how you used the data, and who had access to it

    Obviously, I'm not a lawyer, this might not be accurate and you should read up the GDPR and consult with a lawyer if necessary.

    Just that for an email you might ask? Well, yes, that's what's written in the GDPR.
  • 1
    @Fradow don't forget you have to be able to manage /ongoing/ consent... Support objections to processing, restrictions to processing.

    And all of this has to be documented...

    Oh you use Amazon AWS or S3? that's a third party, how do you deal with data being processed by that third party.

    Oh your emails are on office 365 in the cloud? Now Microsoft is another 3rd party.
  • 1
    Where I work we've been compliant for years haha. Every needed protocol/procedure is written down for obvious reasons and we can delete data as needed.

    We don't sell any data as my boss finds that totally unnecessary and very bad privacy wise and next to that, it's not our business model at all.

    Let them come!
Add Comment