"You'd like to keep this data from this forever? Certainly! Now if your business unit is committing to GDPR responsibility for maintaining this data, we'll notify the DPO and ... oh, you want to delete it? Done. Cheers!"
I am enormously pleased to say that the techies in our organisation are absolutely onside with this, even as it will be work. Because it's clearly the correct idea.
Your comment here is useful for the general HN reader, but the author may have been correct not spelling it out for his intended audience.
It will likely mean some development work as well as we are going to need a reliable auditable way of wiping data.
Despite it making work for us all I can say is about damn time.
One step we've had to take is to stop using copies of the live database in our dev environments (I suspect that practice is fairly common!). Instead we've build an automated rule-based system that produces 'munged' copies of the data (i.e. realistic size and type, but with no useful information), transferring that to our build and dev systems nightly - and reporting on what steps have been taken.
Shameless plug - we're also in the process of building plugins for platforms like Wordpress[1] to simplify some of this for smaller projects.
It's bonkers how often I've seen that over the years.
The reason I ask is that all "Big Four" auditors has been on my company that we need to be able to wipe customer data, but at the same time there are other laws saying we must keep a record of all data (financial) for many years. None of them can say what law will rule over the other one though since they are not compatable...
You also won't be able to keep backups of this data longer than is necessary for operational restore purposes (more on that below).
The rule is that you shouldn’t keep personal data for longer than is necessary for the purpose for which it was collected.
There are five exceptions to this, one of which is:
2) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
This addresses the need to meet other regulatory requirements that you mentioned.
You'll need to keep a metadata record of what you have deleted.
In the event that you have to restore data from a backup for operational purposes, you need to cross reference it to the record of deletions that occurred since the backup was created to ensure that any such data is either not restored, or is immediately deleted again.
This is only a fraction of an organization's obligations under GDPR, being those most directly relevant to your question.
Disclosure: I work for a company that provide solutions in this space.
In terms of technical implementation it'll be a bastard (or result in us holding backups for a shorter period), dumping your DB backups will mean that you still have the data outside of the period (for a lot of places).
It's going to be interesting.
I would not complete the transaction if that data was requested without very good reasons, and have already point-blank refused to take up 'incentives' for superfluous data. Leaves a very bad taste. Can we parade the marketing dept naked on TV, "just so we can send them a gift on their birthday?"
That can put even large players instantly out of business, so better take it serious. The GDPR, unlike its predecessor, does not require per-country ratification and it has some pretty serious teeth.
just 2 cents from a GDPR pleb
Because businesses has shown us that the market does in no way lead to self-regulation, but rather the opposite.
I fully support it.
GDPR applies to all companies storing information on EU citizens. Those citizens should be allowed to know what data is held, where it is being stored and who has access to it.
This is not correct, as far as I am aware. A bit of a nit, but depending on context it can be important: The GDPR applies to all companies with legal presence within the EU storing information on any person, regardless of whether they are EU citizens or not.
So even if you only store personal data on foreign (e.g. US) citizens, you still need to follow the regulation.
"Who does the GDPR affect? The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location."
http://www.eugdpr.org/gdpr-faqs.html
The first point is covered in article 14:
"The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data."
The second in article 23:
"In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment."
http://data.consilium.europa.eu/doc/document/ST-5419-2016-IN...
Is this really the case? All I've seen is praise.
1. Now I have to be responsible about the data I collect.
2. GPDR doesn’t go far enough and we should fix it now as it’ll be harder once it’s been enacted.
