Of course, it's trivial for a system that retains very little personal data (and really shouldn't be storing any) to comply with gdpr.
Besides the obvious "less data, fewer problems" angle there's also the bureaucracy angle - last time I worked on gdpr compliance I got stuck in the middle of a fight with security (who wants to store all the data for ever), the legal team specifically in charge of figuring out what's in scope for GDPR, and another more generic legal team (this one was the worst - they had no idea what the system does and ignored any attempts at explaining it, plus they kept pushing for unrelated often contradictory retention changes)
We did had some of the talks with lawyer about security (in particular logs) and general consensus was that as long as they are stored explicitly for that purpose and only that purpose it isn't a problem, they just have to be properly secured.
Logs like that fall under 6.1.b-f, basically "making sure malicious actor can't fuck with site" overrides needing to get permission to process that. Again, if they are used ONLY for that and are stored securely.
Same reason why security footage (which also falls under GDPR) doesn't need consent, only information visible onto property entrance informing who is processing that info.
A non-profit service should be expected to have better compliance than a service which has a strong monetary motivation to exploiting users data as much as possible and thus comply with privacy requirements as little as possible.
Compliance with GDPR is extremely easy: just don't gather PII in the first place.
And if you want to gather data it's also not too hard, just ask for it and tell user exactly what you're going to do with it.
It's when you want to cajole user into agreeing for gathering way more data than they would consent to if someone explained the extent to them plainly, and to send it to a bunch of 3rd parties too, that's where the difficulty starts and you have to use the blackest of black of techniques to cheat user while still being technically compliant to law.
GDPR compliance is (IMO) very difficult. PII is defined so broadly that it’s near impossible to avoid gathering it, and there are so many stipulations and gotchas and regional requirements and changing guidance about how you must handle it that you essentially need legal help to navigate it.
For example, does your company have employees? Congrats, their HR files (and anything else with their name on it) are covered under GDPR. But you can’t just get consent to handle their data here, since they’re employees and there’s a power mismatch. Instead, you need to rely on the “legitimate interest” clause, which requires specific legal documentation on impact analysis that must be kept up-to-date.
Or another example: if your error logs contain IP addresses, that’s PII and subject to all the complexities of GDPR handling. Even in the absence of logging, I’m not sure a plain web server with all logging off isn't subject to GDPR given how broad the legislation is - after all, it has to process PII (IP address) to send responses, and GDPR covers any system that “uses” PII.
To be perfectly clear, I’m not saying this is bad, but I am saying it’s complicated and not just as simple as “just don’t gather data” or “just get consent”. It’s not easy, you probably need a lawyer’s help.
All you literally have to do is tell people what you're doing and who has access to the data. It isn't that much more complicated -- its literally just requiring you to communicate, which you should have been doing before.
No, it is more complicated. You don’t just need a consent form, you also need a later opt out form. You also need a mechanism for the person to request a copy of their data. Is the person in France or any one of the regions with enhanced GDPR legislation? If so, there are additional concerns. Is the person a child (note that the definition of child varies by region)? If so, there are additional concerns. Do you regularly analyze this data (for example, monitor your error logs)? If so, you need a DPO and all the complexity that comes with that.
No, you don't need a consent form. The GDPR does not require consent.
For example, you don't need consent to store server logs with IP addresses if all they're used is for security and auditing. You don't need consent to archive receipts and invoices if you need to do that for tax purposes, even though those are full of PII. You don't always have to let people opt out of that, either!
That's called legitimate interest, and did you know you have it?
If the person might be a child then the rules have been complex and obtuse since forever. You might need a DPO for regulatory compliance, much in the same way you might need an accountant.
> That's called legitimate interest, and did you know you have it?
You can’t just claim legitimate interest, you need specific, up-to-date legal documentation in the form of an impact assessment.
> You might need a DPO for regulatory compliance, much in the same way you might need an accountant.
Exactly! All I’m saying is (much like accounting) GDPR compliance is not easy or simple or something you can spend fifteen minutes on and be done. GDPR compliance is complicated. I’m not saying it’s bad, but I am saying that (contrary to some of the comments here) you can’t just say “Oh, I have consent or legitimate interest so GDPR is solved”.
You totally can, until someone challenges you and proves you don't; otherwise, common sense applies. A storage unit might have a legitimate interest in keeping license plate numbers but an ad company probably doesn't.
As with most things in law, there is no black-and-white. Just use your brain. If you feel like you can stand up to a judge and defend it with a straight face and no mental gymnastics, you're probably golden.
source: implemented GDPR in 2018 at a multi-national company and worked with attorneys around Europe.
While I agree with your points, I should say that for the absolute vast majority of sites and businesses out there GDPR is trivial and amounts to "don't collect PII data, and don't sell it to third parties".
A handful of businesses with their hands in multiple pots may have more trouble.
The GDPR says none of that. If it does, I'd love to read that section because I've never read it before. It just said you have to tell who you're selling it to and how you're using it.
It's basic human shit. If I lend you a book and you lend it to one of your friends, I'd expect you to let me know; _before_ I ask you for it back. This is basic human decency, (I think?). This law was enforcing basic human decency that companies seem to have forgotten along the way.
For an actual business, no, it's not 15 minutes, but for a small business it's more like a couple of days once, and for a medium business it's a few days every quarter.
Basically, you need to sit down and figure out:
1. What data are you storing,
2. What are you doing with it and who you are giving it to,
3. Is it personally identifiable information,
4. Why are you storing it and do you really have to.
Yes, the GDPR's intent is to force businesses to think about that. For a lot of businesses the answers to those questions are actually quite simple.
Do your company collect data over the sexual orientation of your employees, then check with a lawyer. If you are collecting the name, contact information, work phone number, banking information, personal identification, then all those are covered under the legitimate interest of job description, salary, and legally required insurance policies. HR policies which does not involve job description, does not involve salaries, and does not involve legally required policies such as insurance might require GDPR.
Logs containing IP addresses is exempted from GDPR for anything related to security. Processing the logs for purposes other than security require the complexity of GDPR handling. It is the purpose that define the complexity, not the logs.
PII is defined so broadly, but so is also its exceptions. Employers has to first know a bunch tax law and employment regulations related to employing people, and those do require specific legal documentation on impact analysis that must be kept up-to-date. People who do not do this can not employ people, or risk breaking the law (especially tax law).
Technically they fall under Recital 49 of the GDPR with the unofficial title of "overriding legitimate interest", and is not under the general paragraphs of legitimate interest. Security is explicit and spelled out in the regulation.
(49) The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned.
This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping 'denial of service' attacks and damage to computer and electronic communication systems.
Almost sounds like the annoying popups are in spite and not out of need