Ask HN: How to comply with EU GDPR?
My application needs to store the user's first name, last name, and email address to customize the user's experience. Europe's new General Data Protection Regulation (GDPR) law requires that the application not store any data that can identify the user. Any suggestion how the application can comply with the law but also retain the customization based on an individual user? GDPR allows you to store user data. It just adds more requirements about the collection, usage and sharing of user data. For example, it emphasizes getting proper consent from users ("active consent"). You can find examples of this under the name "clickwrap", which is the "I agree to..." type of checkbox. [1]
;
There are also additional requirements to keep in mind for your app [2] - You need to disclose data retention (how long are you planning to retain user data)
- User choices
- Disclosing if you're the data controller or data processor
- Disclosing the data processors you work with (Google Analytics, Mixpanel) [1] https://termsfeed.com/blog/browsewrap-clickwrap/ [2] https://www.slideshare.net/termsfeed/gdpr-privacy-policy You're allowed to store personalized information. The GDPR is about getting consent from the user (active opt-in), document how you use the data (including to whom you share it to), give the user an option to request any information you store about them, and deleting that data after use (e.g. when a user cancels their account). How will EU enforce it? Say I run a small forum website from the States. Will they censor it if I don’t comply? As much as I want to comply to it, I found it’s difficult to comprehend its requirements and translate them into concrete code. They have the mechanisms to force (EU) law compliance, so far big enterprises (e.g., Amazon, Facebook, Google, ...) has been fined with billions of EUR, even though these companies are from the States.
I believe that micro/small business, if not inside the EU, can go under the radar. However, GDPR is so big, and it's here to stay, and my opinion is that will, in the years to come, the way how companies handled personal data, not only for EU citizens. One interesting aspect of the GDPR is that you, for example, as a processor, must be compliant so that I, as a controller, will work with you. If you think about that, it will soon be evident that GDPR compliance can be strictly a business decision, like ISO certification.