25th of May. The celebration of Towel Day since 2001 and GDPR, regulation in EU law on data protection, since today. I would start with the phrase on the cover of The Hitchhiker's Guide to the Galaxy:
It's not going to be bad. Definitely it's going to be challenging for some of us, but it's not going to be a big problem. In the end, GDPR says shortly only this: you have to…
- know where is personal data stored and keep it secure,
- publicly explain why you store personal data and how you are using it,
- ask your users first,
- respond to request to get or delete all data about your users,
- and automatically delete all old data you don't need.
(Use GDPR checklist, for example, if you need more precise list.)
It's not bad, or is it?
For me, it looks like common sense. Usually you don't need to do almost anything. Many of those restrictions are valid for a long time. GDPR comes just with some news like:
- it's valid for all companies processing data in the EU,
- brings high penalties (but only for big companies and anyway you will get notice and time to be compliant with a law!),
- consent has to be clear (now it could be hidden in legal terms),
- and right to be forgotten with data portability.
In the end only problem is the last point, right to be forgotten, as it comes with some technical challenges. Usual company can deploy just some form, for example GDPR Form, and process incoming requests manually.
Only issue is for bigger companies with technology like Kafka or blockchain, where is historically user e-mails or other personal informations instead of some random hash, or backups on types or other backup without ability to change the backup files.
Companies have to fix how they process personal data and I think it's good thing as security is very hard and complex and privacy very important. We have many leaks. It's good to bring strict rules with high penalty so the Internet can be more secure and support privacy.
I will ask you a question: would you like if restaurant would have dirty kitchen? Of course not, and there is law to protect you.
Another question: would you be pleased companies could track any information about you without your knowledge and share it with anybody? For example mobile operator, your history where have you been? Well, they do that. GDPR is that one giving us right to know and be in charge of our personal data.
Until now companies are like “How much data can we trick people into giving us? We'll figure out how to use it later!” and now it's not accepted thanks to GDPR.
One important note: When some company starts to block EU citizens because they are not able to be compliant with GDPR, it means they do something very wrong and that service should be avoided from any part of the World. Because when even companies like Google can be compliant…
Let's end it with a joke:
“Do you know some expert on GDPR?”
“Cool, can you give me his contact?”
And, of course, DON'T PANIC!