GDPR Resources

Kelly

@scottalanmiller said in GDPR Resources:

So real world question, since everyone will be subject to the GDPR presumably under the umbrella definitions used...

How will sites that don't actually target EU citizens in any way be possibly able to comply with the law given that they have not identified an EU citizen. Meaning, the GDPR includes all kinds of data like locality and IP address, that under normal conditions can't be tied to a person or even the EU. So should a GDPR request be received, how does a US company with no data about the EU person in question, comply if there is no way to associate the data collected with the GDPR request?

If a company, like facebook, collects data on a specific EU citizen, this information cleaning process is simple to explain in human language. But for a site that just casually gets data from EU citizens without knowing that they are in the EU, that they are citizens, or even that they are real people and not bots... if an EU citizen wants data removed, but there is no known association of that data to the person, how will you address that scenario?

If there is no association it doesn't fall under the protections of GDPR. There is much FUD out there regarding GDPR. One of the popular ones, and thrown around frequently on IT sites is that logging an IP address that is in the EU requires GDPR protections. That is not the fullest understanding. If the IP address is associated with other data that falls under the regulation's protections then it is also protected. There are also additional requirements before protections kick in if the address is a dynamic one (not sure how you're supposed to know that one easily). Reference: https://www.whitecase.com/publications/alert/court-confirms-ip-addresses-are-personal-data-some-cases.

scottalanmiller

@kelly said in GDPR Resources:

@scottalanmiller said in GDPR Resources:

So real world question, since everyone will be subject to the GDPR presumably under the umbrella definitions used...

How will sites that don't actually target EU citizens in any way be possibly able to comply with the law given that they have not identified an EU citizen. Meaning, the GDPR includes all kinds of data like locality and IP address, that under normal conditions can't be tied to a person or even the EU. So should a GDPR request be received, how does a US company with no data about the EU person in question, comply if there is no way to associate the data collected with the GDPR request?

If a company, like facebook, collects data on a specific EU citizen, this information cleaning process is simple to explain in human language. But for a site that just casually gets data from EU citizens without knowing that they are in the EU, that they are citizens, or even that they are real people and not bots... if an EU citizen wants data removed, but there is no known association of that data to the person, how will you address that scenario?

If there is no association it doesn't fall under the protections of GDPR. There is much FUD out there regarding GDPR. One of the popular ones, and thrown around frequently on IT sites is that logging an IP address that is in the EU requires GDPR protections. That is not the fullest understanding.

Yes, that one I see very often and is definitely the most concerning of the ones that I have seen. Although I've seen and/or read it slightly differently. Not that the IP originated from the EU, but that the IP was generated by an EU user.

Example to explain what I mean: I am an EU citizen (I actually am) but am in the US (I actually am) and I go to your website - you now have an EU citizen's IP address in your logs.

Kelly

Taking a step back from the cost of going from where we to GDPR compliance, or the enforce-ability of the regulation on non EU companies, I like the premise of GDPR. There is nothing in US law that even comes close to protecting the privacy of citizens. There may be overreach, and things that are impossible from a technical/cost perspective, but it is fundamentally a step in the right direction in my opinion.

scottalanmiller

@kelly said in GDPR Resources:

Taking a step back from the cost of going from where we to GDPR compliance, or the enforce-ability of the regulation on non EU companies, I like the premise of GDPR. There is nothing in US law that even comes close to protecting the privacy of citizens. There may be overreach, and things that are impossible from a technical/cost perspective, but it is fundamentally a step in the right direction in my opinion.

I'll agree there. I like the premise. But I feel that it needs to be handled extremely carefully. Ignoring international issues, and the lack of regionality on the Internet, but the bigger fear that I have of GDPR-like legislation is that they are trivial for giant companies to implement but crippling for small ones. GDPR could quite easily be abused to keep small competitors from entering the market. Making it costly or dangerous to not be a primary player with deep pockets on the Internet.

Kelly

@scottalanmiller said in GDPR Resources:

@kelly said in GDPR Resources:

Taking a step back from the cost of going from where we to GDPR compliance, or the enforce-ability of the regulation on non EU companies, I like the premise of GDPR. There is nothing in US law that even comes close to protecting the privacy of citizens. There may be overreach, and things that are impossible from a technical/cost perspective, but it is fundamentally a step in the right direction in my opinion.

I'll agree there. I like the premise. But I feel that it needs to be handled extremely carefully. Ignoring international issues, and the lack of regionality on the Internet, but the bigger fear that I have of GDPR-like legislation is that they are trivial for giant companies to implement but crippling for small ones. GDPR could quite easily be abused to keep small competitors from entering the market. Making it costly or dangerous to not be a primary player with deep pockets on the Internet.

Have you read what has to be done to achieve compliance? It is expensive for a company to go from nothing to fully compliant. I will grant you that. However, from what I've read so far (could be missing some things due to ignorance here), if a company starts with it as their basis for handling data it adds less than HIPAA or Sarb-Ox. I'm guessing that most companies that are already compliant with a heavy duty US regulation are probably only a few steps from GDPR compliance.

scottalanmiller

@kelly said in GDPR Resources:

@scottalanmiller said in GDPR Resources:

@kelly said in GDPR Resources:

Taking a step back from the cost of going from where we to GDPR compliance, or the enforce-ability of the regulation on non EU companies, I like the premise of GDPR. There is nothing in US law that even comes close to protecting the privacy of citizens. There may be overreach, and things that are impossible from a technical/cost perspective, but it is fundamentally a step in the right direction in my opinion.

I'll agree there. I like the premise. But I feel that it needs to be handled extremely carefully. Ignoring international issues, and the lack of regionality on the Internet, but the bigger fear that I have of GDPR-like legislation is that they are trivial for giant companies to implement but crippling for small ones. GDPR could quite easily be abused to keep small competitors from entering the market. Making it costly or dangerous to not be a primary player with deep pockets on the Internet.

Have you read what has to be done to achieve compliance? It is expensive for a company to go from nothing to fully compliant. I will grant you that. However, from what I've read so far (could be missing some things due to ignorance here), if a company starts with it as their basis for handling data it adds less than HIPAA or Sarb-Ox. I'm guessing that most companies that are already compliant with a heavy duty US regulation are probably only a few steps from GDPR compliance.

Yes, but proper HIPAA or SARBOX are huge expenses that normal SMBs don't face. Those are things that only affect larger or specialized businesses. GDPR hits individuals.

Take @gjacobse who likes to do HAM radio as a hobby on the weekend. He spins up a website for his hobby. It's not a business, has no revenue, isn't intended to harvest and process data about anyone, but might get into a situation where simple free or personal or hobby sites are on the hook for potentially large overheads.

No way could any normal SMB handle SARBOX.

Kelly

@scottalanmiller said in GDPR Resources:

@kelly said in GDPR Resources:

@scottalanmiller said in GDPR Resources:

@kelly said in GDPR Resources:

Taking a step back from the cost of going from where we to GDPR compliance, or the enforce-ability of the regulation on non EU companies, I like the premise of GDPR. There is nothing in US law that even comes close to protecting the privacy of citizens. There may be overreach, and things that are impossible from a technical/cost perspective, but it is fundamentally a step in the right direction in my opinion.

I'll agree there. I like the premise. But I feel that it needs to be handled extremely carefully. Ignoring international issues, and the lack of regionality on the Internet, but the bigger fear that I have of GDPR-like legislation is that they are trivial for giant companies to implement but crippling for small ones. GDPR could quite easily be abused to keep small competitors from entering the market. Making it costly or dangerous to not be a primary player with deep pockets on the Internet.

Have you read what has to be done to achieve compliance? It is expensive for a company to go from nothing to fully compliant. I will grant you that. However, from what I've read so far (could be missing some things due to ignorance here), if a company starts with it as their basis for handling data it adds less than HIPAA or Sarb-Ox. I'm guessing that most companies that are already compliant with a heavy duty US regulation are probably only a few steps from GDPR compliance.

Yes, but proper HIPAA or SARBOX are huge expenses that normal SMBs don't face. Those are things that only affect larger or specialized businesses. GDPR hits individuals.

Take @gjacobse who likes to do HAM radio as a hobby on the weekend. He spins up a website for his hobby. It's not a business, has no revenue, isn't intended to harvest and process data about anyone, but might get into a situation where simple free or personal or hobby sites are on the hook for potentially large overheads.

No way could any normal SMB handle SARBOX.

This thread has gone on a long time. I am tired of trying to explain GDPR. Your questions have helped me research deeper than I might have otherwise. I am grateful for that. If you have something substantive to contribute with links so that we can all learn I would welcome your input. However, I am done trying to explain things to you @scottalanmiller. Nothing personal. I like you as a person, and I respect your perspectives on many things, but how you're handling this conversation is wearing.

scottalanmiller

@kelly said in GDPR Resources:

However, I am done trying to explain things to you @scottalanmiller. Nothing personal. I like you as a person, and I respect your perspectives on many things, but how you're handling this conversation is wearing.

Sorry, honestly trying to learn here. I guess there is a lot of information about GDPR that everyone knows that I just don't understand. But where is everyone learning so much about it?

Kelly

@scottalanmiller said in GDPR Resources:

@kelly said in GDPR Resources:

However, I am done trying to explain things to you @scottalanmiller. Nothing personal. I like you as a person, and I respect your perspectives on many things, but how you're handling this conversation is wearing.

Sorry, honestly trying to learn here. I guess there is a lot of information about GDPR that everyone knows that I just don't understand. But where is everyone learning so much about it?

That was the point of this thread. I have posted a link to every single resource I have used to learn about with the exception of this one (now that I think about it): http://www.lockelord.com/newsandevents/publications/2017/12/are-we-covered.

Obsolesce

So what's the conclusion here?

Does this only effect US companies that target goods or services to EU member populations?

Kelly

@obsolesce said in GDPR Resources:

So what's the conclusion here?

Does this only effect US companies that target goods or services to EU member populations?

Yes, but the targeting thing is fuzzy.

Obsolesce

@kelly said in GDPR Resources:

@obsolesce said in GDPR Resources:

So what's the conclusion here?

Does this only effect US companies that target goods or services to EU member populations?

Yes, but the targeting thing is fuzzy.

You either sell physical goods to people/businesses in EU countries, or you don't. That's 100% clear to me. If you do, you most likely have financial related information on them, in which case, it seems likely GDPR applies.

That's what I'm thinking, but I'm not a lawyer and don't think it's up to me to determine which international laws apply to us and which one's don't, including compliance.

All I can do is familiarize myself with it enough so that when the lawyers and Execs do figure it all out, I'll know what I can do to help the business in IT related compliance solutions if or when required.

I do agree that there are other scenarios that aren't so 100% clear as I seen in earlier posts here.

Obsolesce

@scottalanmiller said in GDPR Resources:

@kelly said in GDPR Resources:

However, I am done trying to explain things to you @scottalanmiller. Nothing personal. I like you as a person, and I respect your perspectives on many things, but how you're handling this conversation is wearing.

Sorry, honestly trying to learn here. I guess there is a lot of information about GDPR that everyone knows that I just don't understand. But where is everyone learning so much about it?

That makes sense though. I found a bunch more information here: https://www.csoonline.com/article/3202771/data-protection/general-data-protection-regulation-gdpr-requirements-deadlines-and-facts.html

But if a company is US based (no physical or registered presence in the EU), can they even do anything about it? I would think not... unless they can somehow stop a U.S. based company from selling products or services there until some kind of fine is paid.

Kelly

@obsolesce said in GDPR Resources:

@scottalanmiller said in GDPR Resources:

@kelly said in GDPR Resources:

However, I am done trying to explain things to you @scottalanmiller. Nothing personal. I like you as a person, and I respect your perspectives on many things, but how you're handling this conversation is wearing.

Sorry, honestly trying to learn here. I guess there is a lot of information about GDPR that everyone knows that I just don't understand. But where is everyone learning so much about it?

But if a company is US based (no physical or registered presence in the EU), can they even do anything about it?

This was addressed in the thread: https://mangolassi.it/topic/16992/gdpr-resources/75.

Obsolesce

@kelly said in GDPR Resources:

@obsolesce said in GDPR Resources:

@scottalanmiller said in GDPR Resources:

@kelly said in GDPR Resources:

However, I am done trying to explain things to you @scottalanmiller. Nothing personal. I like you as a person, and I respect your perspectives on many things, but how you're handling this conversation is wearing.

Sorry, honestly trying to learn here. I guess there is a lot of information about GDPR that everyone knows that I just don't understand. But where is everyone learning so much about it?

But if a company is US based (no physical or registered presence in the EU), can they even do anything about it?

This was addressed in the thread: https://mangolassi.it/topic/16992/gdpr-resources/75.

Didn't see that.

But, wow... I'm in complete agreement with SAM's reply to that. Wtf.