All you literally have to do is tell people what you're doing and who has access to the data. It isn't that much more complicated -- its literally just requiring you to communicate, which you should have been doing before.
No, it is more complicated. You don’t just need a consent form, you also need a later opt out form. You also need a mechanism for the person to request a copy of their data. Is the person in France or any one of the regions with enhanced GDPR legislation? If so, there are additional concerns. Is the person a child (note that the definition of child varies by region)? If so, there are additional concerns. Do you regularly analyze this data (for example, monitor your error logs)? If so, you need a DPO and all the complexity that comes with that.
No, you don't need a consent form. The GDPR does not require consent.
For example, you don't need consent to store server logs with IP addresses if all they're used is for security and auditing. You don't need consent to archive receipts and invoices if you need to do that for tax purposes, even though those are full of PII. You don't always have to let people opt out of that, either!
That's called legitimate interest, and did you know you have it?
If the person might be a child then the rules have been complex and obtuse since forever. You might need a DPO for regulatory compliance, much in the same way you might need an accountant.
> That's called legitimate interest, and did you know you have it?
You can’t just claim legitimate interest, you need specific, up-to-date legal documentation in the form of an impact assessment.
> You might need a DPO for regulatory compliance, much in the same way you might need an accountant.
Exactly! All I’m saying is (much like accounting) GDPR compliance is not easy or simple or something you can spend fifteen minutes on and be done. GDPR compliance is complicated. I’m not saying it’s bad, but I am saying that (contrary to some of the comments here) you can’t just say “Oh, I have consent or legitimate interest so GDPR is solved”.
You totally can, until someone challenges you and proves you don't; otherwise, common sense applies. A storage unit might have a legitimate interest in keeping license plate numbers but an ad company probably doesn't.
As with most things in law, there is no black-and-white. Just use your brain. If you feel like you can stand up to a judge and defend it with a straight face and no mental gymnastics, you're probably golden.
source: implemented GDPR in 2018 at a multi-national company and worked with attorneys around Europe.
While I agree with your points, I should say that for the absolute vast majority of sites and businesses out there GDPR is trivial and amounts to "don't collect PII data, and don't sell it to third parties".
A handful of businesses with their hands in multiple pots may have more trouble.
The GDPR says none of that. If it does, I'd love to read that section because I've never read it before. It just said you have to tell who you're selling it to and how you're using it.
It's basic human shit. If I lend you a book and you lend it to one of your friends, I'd expect you to let me know; _before_ I ask you for it back. This is basic human decency, (I think?). This law was enforcing basic human decency that companies seem to have forgotten along the way.
For an actual business, no, it's not 15 minutes, but for a small business it's more like a couple of days once, and for a medium business it's a few days every quarter.
Basically, you need to sit down and figure out:
1. What data are you storing,
2. What are you doing with it and who you are giving it to,
3. Is it personally identifiable information,
4. Why are you storing it and do you really have to.
Yes, the GDPR's intent is to force businesses to think about that. For a lot of businesses the answers to those questions are actually quite simple.
