undefined | Better HN

0 pointsDanBC7y ago0 comments

> (where logs include IP addresses). If I want to comply with GDPR, I have to do a bunch of work

If the blog is purely personal the GDPR does not apply.

https://ico.org.uk/media/for-organisations/data-protection-r...

> The GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.

And if GDPR does apply you only have to do the extra work if the IP addresses can be used to identify a natural person. Note here "can be", not "is".

> Like the DPA, the GDPR applies to ‘personal data’. However, the GDPR’s definition is more detailed and makes it clear that information such as an online identifier – eg an IP address – can be personal data. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.

http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX...

> (26) The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.

And article 4

1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

0 comments

tobltobs7y ago

"purely for personal/household activities."

IANAL but for me this doesn't sound like a blog, open to the public, maybe even with a public commenting system, would be freed from the burden of the GDPR.

IPs "can be", not "is" personal data

It doesn't help you that IPs are not always personal data, as soon as they can be, you have a problem if you store them.

j / k navigate · click thread line to collapse