Hello,

are you ready for the GDPR? Do you have a Privacy Policy. DPA, Cookie Banner etc.?

That part is a very very very tiny part of GDPR...

@Linux what is the very very very big part?

no cookies, anonym logs, no problem

@jultra not using any third party service providers without a ton of paperwork, encrypting all computers and all conversations, enforcing draconic security measures, deleting a ton of code that connects data from multiple sources, implementing methods to delete specific customer data from files attached in emails or anywhere else, implementing a way to offer upon request all saved data on a customer, taking extra steps when authenticating a customer via telephone with customer service, so you don't even say their name before you authenticate them, disabling database access to everyone, even data analysts and scientists, until a specific person pseudonymizes it.

And so on and so forth.

No. I block European IPs.

@spongessuck You are an a**hole! There is no reason!!

@jultra Unless he doesn’t want to do all the things required of him by the new rules.

@jultra
How your employees store personal data on their PCs lol

We've had this for years and years at my current job. Because most of it is common sense and proper protocols/security measures haha

@AndSoWeCode Encrypt computers... That's should be common sense as for securiry...?

Also, define draconic security measures?

@linuxxx there are some old companies, that use some legacy software that won't work on new operating systems. Encrypting those computers is unstable and risky.

Draconic security measures:

I asked a legal consultant a few questions about GDPR and basically whenever it says "ensures", it literally means taking every precaution necessary to make it impossible that, in this case, nobody moves data around unlawfully. That means that every work station must be isolated as much as possible. Ex. no internet access so that no worm gets downloaded, no screenshots are uploaded, no data is sent anywhere, intentionally or not.

I already worked in a privacy-crazed company. It was just impossible to work.

@AndSoWeCode Well, then they're not taking responsibility for their own security and that's bad imo.

Idk about the rest, I've asked our own expert on this and the things he said we needed to get done to become compliant have already been implemented for ages (firewall on every system, harddisk encryption and so on, common sense stuff)

@linuxxx it's far more than just that.

It all depends on what you're actually doing. If firewalls and hard disk encryption and access rights is all you need, then consider yourself extremely lucky.

I know having old software is bad, but the reality of the situation is that nobody can replace it. Otherwise old banks would have long migrated away from COBOL and their systems designed in the '80s. And if in the case of banks, they were initially designed with top notch security in mind, an old mom and pop shop that outgrew its amateurish infrastructure is a completely different situation.

Plus it's not only about the old, but about the new. Lots of businesses depend on their knowledge of their customers, to what and how well they react, and how to most efficiently communicate with them. The only way to get this information however will be illegal. To put it bluntly, it's illegal to identify customers you want to send vouchers to, by determining how many new customers they've brought.

@linuxxx then you have different flows of information inside the organization itself. For example customer support needs a list of customers that have priority, and list of blacklisted customers (for ex. who got the product then canceled the SEPA), to know to whom to reply first, or many other lists with all kinds of information to help them do the job better. Marketing needs a list of customers targeted for an e-mail campaign, or they're doing an A/B test and they requested 2 lists of names+e-mails. All of these flows happen in different systems, and they usually keep history. Then you have a data warehouse that has periodical snapshots of data for historization.

Being GDPR compliant means that 10 people will contact the company and request all their personal data deleted, and you'll have to go through 100 different data stores, with varying difficulty of querying or modifying them, and delete stuff. Or if they request all their data - go ahead and assemble it.

(next msg)

@linuxxx and if Connie from category management, when getting access to sales data, accidentally also gets access to the results of the marketing campaign that influenced those sales, with result data from those A/B tests, with some e-mails, then you're fucked.

It's not that we don't trust Connie. She's good with data, and we're the same organization, and there are clauses in the work contract about confidential information, so no actual harm done. It's not like she gives a crap about those e-mails anyway. But that is ILLEGAL according to GDPR.

The fact is, I have to delete HALF of the data integrations that I did, because it is now illegal to cross-process data from multiple sources.

This will effectively throw us back into the stone age of "Data driven company" era. And it will paralyze other departments because of other enumerated reasons.

Conclusion follows:

@linuxxx as a private individual I'm actually happy that I will have power to delete my info from nasty companies that needed an account just for me to see how shitty they are. I'm also happy that I can request, by law, all my info from, say, a hospital that I stayed in, or a bank, or whatever.

There are no added benefits with GDPR however.

Unfortunately I firmly believe that it is a product of paranoia and lack of any idea about how the Internet of the 21st century works and what its benefit is, and what it relies on. And this law will make things significantly worse, before, hopefully, a sane minded society will recognize that, hopefully before the EU becomes a weak useless economy while China takes over the world.