So... GDPR.
And the deadline.
And I have no idea what to do.

What does it mean for one-man indie projects? Data protection officers? Companies? Controllers? Processors? EU employees? Argh.

Look, please, EU. Not everyone can afford to hire an entire team for this, when their current team is literally one person.

Yes, the GDPR is probably a step in the right direction, but I think I'll just stop collecting the data altogether.

(All data I collect is just user settings stored in a database, nothing more.)

Can someone point me in the right direction?

If it‘s only settings then you aren’t affected, but probably you have basic personal data, like the name or birthdate, Right ?
Then you have to allow the user to delete, see and stop collecting the personal data.

It basically boils down to:

- don't collect data you don't need
- ask permission to collect the data you do need
- allow data remove requests etc
- take appropriate data security measures, what is appropriate depends on what data you keep

If you do those 3, which to me are basic guidelines... You'll have no problem with Gdpr from what I heard...

@joykill You also must be able to see which data is stored.

ICO have a brilliant guide which is easy to understand for people who aren't experts in this field, I work in data protection in health care and almost always refer to this when I'm queried about changes from colleagues https://ico.org.uk/for-organisation...

@FilipeRamalho you also have to document what you do with the data, if it leaves you for any reason you have to know where and why and how *they* deal with it but it's a one time document for basic data users

By no means gdpr forbids data collection :) it's just that every piece of data you collect must serve some clearly defined purpose [what are you going to use it for] and the customer can either agree to provide you his info for that particular purpose or not.

Also the word about gdpr has been spread around over a year ago. There was more than plenty of time to implement this compliance change :) not trying to step on a sore here.. Just saying

I wouldn't worry too much, I don't think many companies are following gdpr to the letter yet.

@Autism420 dealing with this at a code level isn't a huge deal. Not that hard to make non-asshole design for data storage and privacy.

What OP is referring to is the overhead involved with legal proceedings. It's way more than what people have said here which just goes to show how little it's understood--there wasn't even a good guidelines page until a little over a month ago, and the language is super vague and non-technical for a legislation that has large technical impact. Sure privacy is great but GDPR really screws over small businesses and one-man teams that weren't doing anything malicious with the data to begin with and collect data to conduct their business (e.g. dogwalker needs personal info to walk dogs, and now has to be GDPR compliant!).

Few more things to consider (not exhaustive):
- cookie banners
- if you use email marketing or newsletters you may need users to opt in again (check online if your original optin is sufficient)
- update your privacy policy accordingly