Re: Is this forum prepared for the GDPR?
- Posted by jimcbrown (admin) May 01, 2018
- 2234 views
I appreciate you doing the work, Greg!
Me too! Thanks Greg!
Can we start a wiki page for this? The policy part.
Done. See GDPR.
The GDPR Wiki page is very good. Appreciate the effort that's gone into this.
Seconded.
What I'm saying is that, by choosing to sign up for a website, an individual is volunteering some of their personal information to that site. I don't ever expect to get that privacy back, and that's what GDPR is requiring that data controllers do.
I guess there are two ways to look at it. From a technical perspective, you are right. You can't unring a bell or unscramble an egg - or be unintroduced to a person.
However, from a moral perspective, maybe we should have that right to get our privacy back. You can't really undo the volunteering of personal information, but the legal fiction of it is still worth pursuing. Much like you can't stop theft everywhere, but by making it illegal and enforcing penalties against it you can go a long way to making the situtation better overall.
So if we haven't got any "establishments" in any "member states" (of the EU) then we shouldn't need to assign a "supervisory authority" so I don't think we have to notify anyone. But we might just need to make the breach public? Maybe, I guess? Or notify some regulatory authority in the EU?
This is why I'm so fed up with this whole thing: a lot of it is vague and doesn't provide a lot detail about how non-member states should actually comply.
Agreed. It would be a lot better if there was a helpdesk that was available 24/7, free to call, never busy, and their answers were legally binding (at least to the extent that the regulatory agencies couldn't fine us later for following that advice) - so if we follow their advice then we know we're good.
I think I better understand now why it's frustrating on a practical level. Morally, I think it's still a great idea - but a little help on the implementation of it would be nice.
Email and IP address could be, and we can encrypt those.
So, encryption of stored emails and IP addresses will suffice to make us compliant.
Sadly, no.
Myth 5: Our company uses pseudonymisation and encryption to protect personal data, so that should be enough for GDPR purposes.
Fact: Pseudonymisation and encryption are advised, however, that is still not enough to comply with the upcoming regulation.
However, if you want to spend the resources to get compliant, go for it!
I'm not saying, "Don't do it." I'm saying, "We don't have to."
That's a reasonable position.
I appreciate that, but at this point I'm confident we have to. Jimcbrown and ABC certainly seem to agree, given we're having this conversation.
Seconded.
I did the research and commented based on what I found. Here's an example, from Forbes:
"The organization would have to target a data subject in an EU country. Generic marketing doesnt count. For example, a Dutch user who Googles and finds an English-language webpage written for U.S. consumers or B2B customers would not be covered under the GDPR. However, if the marketing is in the language of that country and there are references to EU users and customers, then the webpage would be considered targeted marketing and the GDPR will apply."
Just because someone in the EU comes to our site, doesn't automatically mean we fall under the jurisdiction of EU legislation. And, it seems we do not engage in behavior that would make us fall under their jurisdiction.
I think it's reasonable that we encrypt all the data we collect, simply to keep it safe in the case of a breach. But, beyond that, it's just red-tape that doesn't apply to us.
The problem is that this contradicts what you'll find elsewhere. It seems that even the lawyers can't agree here.
Myth 1: Were a US based company so the GDPR doesnt apply to me.
Fact: GDPR will impact every business that touches the personal data ofEU citizens, including businesses that dont collect the information themselves. So even if you are a non-EU company and you deal with EU citizens data you will also have to comply.
I tracked this down to a discrepancy in the GDPR law itself (which requires that everyone outside of the EU who handles EU citizen's personal data to comply) and the draft of the GDPR guidance rules: https://privacylaw.proskauer.com/2017/06/articles/privacy-law/gdpr-compliance-update-which-government-authorities-have-issued-official-gdpr-guidance/
The guidance is more lenient and create an exception for those who are not targeting data subjects in the EU. But the guidance is also non-binding, meanwhilee the literal law itself has no such exception.
A lot of people seem to expect that the guidance will be followed anyways, but there is some risk here. Better to play it safe.
