ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    GDPR Resources

    Scheduled Pinned Locked Moved IT Discussion
    gdprregulations
    105 Posts 7 Posters 12.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller
      last edited by

      So real world question, since everyone will be subject to the GDPR presumably under the umbrella definitions used...

      How will sites that don't actually target EU citizens in any way be possibly able to comply with the law given that they have not identified an EU citizen. Meaning, the GDPR includes all kinds of data like locality and IP address, that under normal conditions can't be tied to a person or even the EU. So should a GDPR request be received, how does a US company with no data about the EU person in question, comply if there is no way to associate the data collected with the GDPR request?

      If a company, like facebook, collects data on a specific EU citizen, this information cleaning process is simple to explain in human language. But for a site that just casually gets data from EU citizens without knowing that they are in the EU, that they are citizens, or even that they are real people and not bots... if an EU citizen wants data removed, but there is no known association of that data to the person, how will you address that scenario?

      KellyK 1 Reply Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller
        last edited by

        This doesn't answer my question, but seems like a useful high level list to keep in mind as to when GDPR must be honored for a take down, versus when it should only be considered: https://www.lexology.com/library/detail.aspx?g=1e15fd92-3b95-4b22-8a91-abb45c99f1fd

        1 Reply Last reply Reply Quote 0
        • KellyK
          Kelly @scottalanmiller
          last edited by

          @scottalanmiller said in GDPR Resources:

          So real world question, since everyone will be subject to the GDPR presumably under the umbrella definitions used...

          How will sites that don't actually target EU citizens in any way be possibly able to comply with the law given that they have not identified an EU citizen. Meaning, the GDPR includes all kinds of data like locality and IP address, that under normal conditions can't be tied to a person or even the EU. So should a GDPR request be received, how does a US company with no data about the EU person in question, comply if there is no way to associate the data collected with the GDPR request?

          If a company, like facebook, collects data on a specific EU citizen, this information cleaning process is simple to explain in human language. But for a site that just casually gets data from EU citizens without knowing that they are in the EU, that they are citizens, or even that they are real people and not bots... if an EU citizen wants data removed, but there is no known association of that data to the person, how will you address that scenario?

          If there is no association it doesn't fall under the protections of GDPR. There is much FUD out there regarding GDPR. One of the popular ones, and thrown around frequently on IT sites is that logging an IP address that is in the EU requires GDPR protections. That is not the fullest understanding. If the IP address is associated with other data that falls under the regulation's protections then it is also protected. There are also additional requirements before protections kick in if the address is a dynamic one (not sure how you're supposed to know that one easily). Reference: https://www.whitecase.com/publications/alert/court-confirms-ip-addresses-are-personal-data-some-cases.

          scottalanmillerS 1 Reply Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller @Kelly
            last edited by

            @kelly said in GDPR Resources:

            @scottalanmiller said in GDPR Resources:

            So real world question, since everyone will be subject to the GDPR presumably under the umbrella definitions used...

            How will sites that don't actually target EU citizens in any way be possibly able to comply with the law given that they have not identified an EU citizen. Meaning, the GDPR includes all kinds of data like locality and IP address, that under normal conditions can't be tied to a person or even the EU. So should a GDPR request be received, how does a US company with no data about the EU person in question, comply if there is no way to associate the data collected with the GDPR request?

            If a company, like facebook, collects data on a specific EU citizen, this information cleaning process is simple to explain in human language. But for a site that just casually gets data from EU citizens without knowing that they are in the EU, that they are citizens, or even that they are real people and not bots... if an EU citizen wants data removed, but there is no known association of that data to the person, how will you address that scenario?

            If there is no association it doesn't fall under the protections of GDPR. There is much FUD out there regarding GDPR. One of the popular ones, and thrown around frequently on IT sites is that logging an IP address that is in the EU requires GDPR protections. That is not the fullest understanding.

            Yes, that one I see very often and is definitely the most concerning of the ones that I have seen. Although I've seen and/or read it slightly differently. Not that the IP originated from the EU, but that the IP was generated by an EU user.

            Example to explain what I mean: I am an EU citizen (I actually am) but am in the US (I actually am) and I go to your website - you now have an EU citizen's IP address in your logs.

            1 Reply Last reply Reply Quote 1
            • KellyK
              Kelly
              last edited by

              Taking a step back from the cost of going from where we to GDPR compliance, or the enforce-ability of the regulation on non EU companies, I like the premise of GDPR. There is nothing in US law that even comes close to protecting the privacy of citizens. There may be overreach, and things that are impossible from a technical/cost perspective, but it is fundamentally a step in the right direction in my opinion.

              scottalanmillerS 1 Reply Last reply Reply Quote 1
              • scottalanmillerS
                scottalanmiller @Kelly
                last edited by

                @kelly said in GDPR Resources:

                Taking a step back from the cost of going from where we to GDPR compliance, or the enforce-ability of the regulation on non EU companies, I like the premise of GDPR. There is nothing in US law that even comes close to protecting the privacy of citizens. There may be overreach, and things that are impossible from a technical/cost perspective, but it is fundamentally a step in the right direction in my opinion.

                I'll agree there. I like the premise. But I feel that it needs to be handled extremely carefully. Ignoring international issues, and the lack of regionality on the Internet, but the bigger fear that I have of GDPR-like legislation is that they are trivial for giant companies to implement but crippling for small ones. GDPR could quite easily be abused to keep small competitors from entering the market. Making it costly or dangerous to not be a primary player with deep pockets on the Internet.

                KellyK 1 Reply Last reply Reply Quote 1
                • KellyK
                  Kelly @scottalanmiller
                  last edited by

                  @scottalanmiller said in GDPR Resources:

                  @kelly said in GDPR Resources:

                  Taking a step back from the cost of going from where we to GDPR compliance, or the enforce-ability of the regulation on non EU companies, I like the premise of GDPR. There is nothing in US law that even comes close to protecting the privacy of citizens. There may be overreach, and things that are impossible from a technical/cost perspective, but it is fundamentally a step in the right direction in my opinion.

                  I'll agree there. I like the premise. But I feel that it needs to be handled extremely carefully. Ignoring international issues, and the lack of regionality on the Internet, but the bigger fear that I have of GDPR-like legislation is that they are trivial for giant companies to implement but crippling for small ones. GDPR could quite easily be abused to keep small competitors from entering the market. Making it costly or dangerous to not be a primary player with deep pockets on the Internet.

                  Have you read what has to be done to achieve compliance? It is expensive for a company to go from nothing to fully compliant. I will grant you that. However, from what I've read so far (could be missing some things due to ignorance here), if a company starts with it as their basis for handling data it adds less than HIPAA or Sarb-Ox. I'm guessing that most companies that are already compliant with a heavy duty US regulation are probably only a few steps from GDPR compliance.

                  scottalanmillerS 1 Reply Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller @Kelly
                    last edited by

                    @kelly said in GDPR Resources:

                    @scottalanmiller said in GDPR Resources:

                    @kelly said in GDPR Resources:

                    Taking a step back from the cost of going from where we to GDPR compliance, or the enforce-ability of the regulation on non EU companies, I like the premise of GDPR. There is nothing in US law that even comes close to protecting the privacy of citizens. There may be overreach, and things that are impossible from a technical/cost perspective, but it is fundamentally a step in the right direction in my opinion.

                    I'll agree there. I like the premise. But I feel that it needs to be handled extremely carefully. Ignoring international issues, and the lack of regionality on the Internet, but the bigger fear that I have of GDPR-like legislation is that they are trivial for giant companies to implement but crippling for small ones. GDPR could quite easily be abused to keep small competitors from entering the market. Making it costly or dangerous to not be a primary player with deep pockets on the Internet.

                    Have you read what has to be done to achieve compliance? It is expensive for a company to go from nothing to fully compliant. I will grant you that. However, from what I've read so far (could be missing some things due to ignorance here), if a company starts with it as their basis for handling data it adds less than HIPAA or Sarb-Ox. I'm guessing that most companies that are already compliant with a heavy duty US regulation are probably only a few steps from GDPR compliance.

                    Yes, but proper HIPAA or SARBOX are huge expenses that normal SMBs don't face. Those are things that only affect larger or specialized businesses. GDPR hits individuals.

                    Take @gjacobse who likes to do HAM radio as a hobby on the weekend. He spins up a website for his hobby. It's not a business, has no revenue, isn't intended to harvest and process data about anyone, but might get into a situation where simple free or personal or hobby sites are on the hook for potentially large overheads.

                    No way could any normal SMB handle SARBOX.

                    KellyK 1 Reply Last reply Reply Quote 1
                    • KellyK
                      Kelly @scottalanmiller
                      last edited by

                      @scottalanmiller said in GDPR Resources:

                      @kelly said in GDPR Resources:

                      @scottalanmiller said in GDPR Resources:

                      @kelly said in GDPR Resources:

                      Taking a step back from the cost of going from where we to GDPR compliance, or the enforce-ability of the regulation on non EU companies, I like the premise of GDPR. There is nothing in US law that even comes close to protecting the privacy of citizens. There may be overreach, and things that are impossible from a technical/cost perspective, but it is fundamentally a step in the right direction in my opinion.

                      I'll agree there. I like the premise. But I feel that it needs to be handled extremely carefully. Ignoring international issues, and the lack of regionality on the Internet, but the bigger fear that I have of GDPR-like legislation is that they are trivial for giant companies to implement but crippling for small ones. GDPR could quite easily be abused to keep small competitors from entering the market. Making it costly or dangerous to not be a primary player with deep pockets on the Internet.

                      Have you read what has to be done to achieve compliance? It is expensive for a company to go from nothing to fully compliant. I will grant you that. However, from what I've read so far (could be missing some things due to ignorance here), if a company starts with it as their basis for handling data it adds less than HIPAA or Sarb-Ox. I'm guessing that most companies that are already compliant with a heavy duty US regulation are probably only a few steps from GDPR compliance.

                      Yes, but proper HIPAA or SARBOX are huge expenses that normal SMBs don't face. Those are things that only affect larger or specialized businesses. GDPR hits individuals.

                      Take @gjacobse who likes to do HAM radio as a hobby on the weekend. He spins up a website for his hobby. It's not a business, has no revenue, isn't intended to harvest and process data about anyone, but might get into a situation where simple free or personal or hobby sites are on the hook for potentially large overheads.

                      No way could any normal SMB handle SARBOX.

                      This thread has gone on a long time. I am tired of trying to explain GDPR. Your questions have helped me research deeper than I might have otherwise. I am grateful for that. If you have something substantive to contribute with links so that we can all learn I would welcome your input. However, I am done trying to explain things to you @scottalanmiller. Nothing personal. I like you as a person, and I respect your perspectives on many things, but how you're handling this conversation is wearing.

                      scottalanmillerS 1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @Kelly
                        last edited by

                        @kelly said in GDPR Resources:

                        However, I am done trying to explain things to you @scottalanmiller. Nothing personal. I like you as a person, and I respect your perspectives on many things, but how you're handling this conversation is wearing.

                        Sorry, honestly trying to learn here. I guess there is a lot of information about GDPR that everyone knows that I just don't understand. But where is everyone learning so much about it?

                        KellyK ObsolesceO 2 Replies Last reply Reply Quote 0
                        • KellyK
                          Kelly @scottalanmiller
                          last edited by

                          @scottalanmiller said in GDPR Resources:

                          @kelly said in GDPR Resources:

                          However, I am done trying to explain things to you @scottalanmiller. Nothing personal. I like you as a person, and I respect your perspectives on many things, but how you're handling this conversation is wearing.

                          Sorry, honestly trying to learn here. I guess there is a lot of information about GDPR that everyone knows that I just don't understand. But where is everyone learning so much about it?

                          That was the point of this thread. I have posted a link to every single resource I have used to learn about with the exception of this one (now that I think about it): http://www.lockelord.com/newsandevents/publications/2017/12/are-we-covered.

                          1 Reply Last reply Reply Quote 0
                          • ObsolesceO
                            Obsolesce
                            last edited by

                            So what's the conclusion here?

                            Does this only effect US companies that target goods or services to EU member populations?

                            KellyK 1 Reply Last reply Reply Quote 0
                            • KellyK
                              Kelly @Obsolesce
                              last edited by

                              @obsolesce said in GDPR Resources:

                              So what's the conclusion here?

                              Does this only effect US companies that target goods or services to EU member populations?

                              Yes, but the targeting thing is fuzzy.

                              ObsolesceO 1 Reply Last reply Reply Quote 1
                              • ObsolesceO
                                Obsolesce @Kelly
                                last edited by Obsolesce

                                @kelly said in GDPR Resources:

                                @obsolesce said in GDPR Resources:

                                So what's the conclusion here?

                                Does this only effect US companies that target goods or services to EU member populations?

                                Yes, but the targeting thing is fuzzy.

                                You either sell physical goods to people/businesses in EU countries, or you don't. That's 100% clear to me. If you do, you most likely have financial related information on them, in which case, it seems likely GDPR applies.

                                That's what I'm thinking, but I'm not a lawyer and don't think it's up to me to determine which international laws apply to us and which one's don't, including compliance.

                                All I can do is familiarize myself with it enough so that when the lawyers and Execs do figure it all out, I'll know what I can do to help the business in IT related compliance solutions if or when required.

                                I do agree that there are other scenarios that aren't so 100% clear as I seen in earlier posts here.

                                1 Reply Last reply Reply Quote 0
                                • ObsolesceO
                                  Obsolesce @scottalanmiller
                                  last edited by

                                  @scottalanmiller said in GDPR Resources:

                                  @kelly said in GDPR Resources:

                                  However, I am done trying to explain things to you @scottalanmiller. Nothing personal. I like you as a person, and I respect your perspectives on many things, but how you're handling this conversation is wearing.

                                  Sorry, honestly trying to learn here. I guess there is a lot of information about GDPR that everyone knows that I just don't understand. But where is everyone learning so much about it?

                                  That makes sense though. I found a bunch more information here: https://www.csoonline.com/article/3202771/data-protection/general-data-protection-regulation-gdpr-requirements-deadlines-and-facts.html

                                  But if a company is US based (no physical or registered presence in the EU), can they even do anything about it? I would think not... unless they can somehow stop a U.S. based company from selling products or services there until some kind of fine is paid.

                                  KellyK 1 Reply Last reply Reply Quote 0
                                  • KellyK
                                    Kelly @Obsolesce
                                    last edited by

                                    @obsolesce said in GDPR Resources:

                                    @scottalanmiller said in GDPR Resources:

                                    @kelly said in GDPR Resources:

                                    However, I am done trying to explain things to you @scottalanmiller. Nothing personal. I like you as a person, and I respect your perspectives on many things, but how you're handling this conversation is wearing.

                                    Sorry, honestly trying to learn here. I guess there is a lot of information about GDPR that everyone knows that I just don't understand. But where is everyone learning so much about it?

                                    But if a company is US based (no physical or registered presence in the EU), can they even do anything about it?

                                    This was addressed in the thread: https://mangolassi.it/topic/16992/gdpr-resources/75.

                                    ObsolesceO 1 Reply Last reply Reply Quote 0
                                    • ObsolesceO
                                      Obsolesce @Kelly
                                      last edited by

                                      @kelly said in GDPR Resources:

                                      @obsolesce said in GDPR Resources:

                                      @scottalanmiller said in GDPR Resources:

                                      @kelly said in GDPR Resources:

                                      However, I am done trying to explain things to you @scottalanmiller. Nothing personal. I like you as a person, and I respect your perspectives on many things, but how you're handling this conversation is wearing.

                                      Sorry, honestly trying to learn here. I guess there is a lot of information about GDPR that everyone knows that I just don't understand. But where is everyone learning so much about it?

                                      But if a company is US based (no physical or registered presence in the EU), can they even do anything about it?

                                      This was addressed in the thread: https://mangolassi.it/topic/16992/gdpr-resources/75.

                                      Didn't see that.

                                      But, wow... I'm in complete agreement with SAM's reply to that. Wtf.

                                      1 Reply Last reply Reply Quote 1
                                      • 1
                                      • 2
                                      • 3
                                      • 4
                                      • 5
                                      • 6
                                      • 2 / 6
                                      • First post
                                        Last post