I'm sure many Governments would love to be able to so simply identify what their citizens do online though.
Source?
> This tells nginx to assign the $allow_visit variable a 0 for any users the GeoIP database specifies as coming from the “EU” continent.
Europe is the continent. The EU does not encompass all European countries. Doesn't this needlessly block non-EU European countries?
Just for fun, I would add
server {
# snip....
access_log off;
error_log off;
return 307 https://www.google.com/search?q=gdpr;
}
This, however, does give me an idea. Does anyone have an interest in a web framework which provides user/data management in a gdpr compliant way?
Assuming there is any significant adoption of your proposed solution to avoid GDPR rules the likelyhood is EU citizens will use VPN or Proxy services to bypass the restrictions.
I don’t think the use of a VPN would remove the GDPR obligations on the data controller or data processor.
I use third party tools to help worth logging and error tracking.
Its just not worth my time to support gdpr on a website that makes no money.
“I don’t have time to do all those structural calculations on top of all the properties I have to build”
“I don’t have time for all this silly human safety testing on top of all the drugs I have to develop”
Your statement is equivalent to the above. If you are unwilling to meet a relatively straightforward level or privacy and security for your users’ data, then personally I’m really glad that you’re going to prevent users from accessing it.
select * from x where user == “whoever”;
Or whatever the syntax is.
Alternatively: why are your personal projects storing that data in the first place? If you’re unwilling/unable to put the time into something as trivial as making an archive I’m assuming you also aren’t putting the time into making your data storage secure. Arguably securely storing data is harder than producing an archive.
Or are you saying that gdpr sucks because it actually requires you to care about user data?
Seriously if you think gdpr is “too hard” just. Do. Not. Store. User. Data.
This is not hard. Arguably it is easier and cheaper than any option, including filtering users.
I meant, respecting the law has been a thing for many years, you know? GDPR isn't really different.
I also think the 403 error page explaining that the GDPR is the reason the visitor can't access the page is a nice touch.
€20M is the minimum value for the upper limit of an Article 83(5) or Article 83(6) administrative fine; it's not a minimum fine, and a lesser value (€10M) applies as the corresponding base upper limit for some other violations.
Basically if you’re a small business your maximum fine is likely 20 million, if you’re a large one it’s 4% of your global revenue. The global revenue is needed because companies are perfectly happy moving their money around to minimize the amount of money they make in places that will fine and tax them. They’re also super good at manufacturing reasons that profit does not actually get recorded as profit. Also it’s generally accepted that fines and settlements are an expense, so you’d get a situation where ome fine would effectively discount another.
The wording says fines "up to 20,000,000 Euros"
"up to" usually implies a minimum, not a maximum.
So if the users are in the Union and you're not, you're still on the hook. If the users aren't in the Union, you're free and clear.
Also applies to EEA countries like Norway and Lichtenstein btw (source: am currently working on GDPR compliance in Norway).
If you can't be bothered to care about people's personal information, then maybe you don't need it in the first place.
“Up to” literally means a maximum.
The previous commenter said the fine was a 20m "minimum" fine. The GDPR text says it's "up to" 20m. I meant to say that that means it's a maximum.
"If you refuse to document every ingredient and possible allergic reaction when inviting friends over for dinner, then I'm really glad if you don't have any friends."
"If you don't create structural and safety calculations for your kids' tree fort, then I'm really glad when your kids fall out."
The point is, people need to be able to start small and then scale up if/when that makes sense. If everything has to start "big" (relatively speaking), then we will simply have fewer things, to the detriment of all.
GDPR provisions are not onerous, are easy to follow, and are what we should expect every company handling personal data to already be doing.
Also, I fail to see how not having time to build an archive system equates to the developer not storing their data securely? That's just an accusation you decided to make which is irrelevant and accusatory.
The point of this post was to show an easy way to ensure you're compliant in 15 lines of code. Building the archive system and associated subsystems will be more than that, without question. Just because you don't like this solution doesn't mean it isn't a solution.
* how are you structuring data such that it is available to you and your site, without also being able to pull it all out into an archive?
* literally all of my experience has been that securing data is a much harder challenge than any other part of a web facing system.
Also, the thing that everyone seems he’ll bent on ignoring: you do not need an archive mechanism if you do not store data.
And given we’ve known gdpr has been coming for at least a year - aside from companies that tried to bribe it away I guess - new projects should have there data set up so that archiving isn’t a monumentally challenging task.
> how are you structuring data such that it is available to you and your site, without also being able to pull it all out into an archive?
I don't believe the point is that it cannot be pulled into an archive, but that collecting all the data that belongs in such an archive of an specific user (and that user alone) can easily be a very complex task for projects of certain size:available manpower ratio, to the point that showing a query to a relational database with a well defined schema as an example strikes me either as ignorance of the state of real world software development or a gargantuan middle finger.
> literally all of my experience has been that securing data is a much harder challenge than any other part of a web facing system.
Depending on the project that can easily be the case. There's of course the fact that no one can really claim all their stored data is safe from malicious actors, just reasonably secure according to their knowledge and what they're aware their software does; so comparing its difficulty to other things seems overly simplistic.
And sure, there's a lot of things that will be harder than an archival feature regardless of the data storage mess a project may be in, but it does not diminish the work required to implement archival on many of those.
> Also, the thing that everyone seems he’ll bent on ignoring: you do not need an archive mechanism if you do not store data
Congratulations if you happened to store absolutely no PII when building your product. You not only have the luxury of being able to provide any value at all without data, you happened to not store things that a lot of people often don't consider PII but that the GDPR does such as IP addresses.
> And given we’ve known gdpr has been coming for at least a year - aside from companies that tried to bribe it away I guess - new projects should have there data set up so that archiving isn’t a monumentally challenging task.
Can we really pretend with a straight face that the overwhelmingly massive cost of changing legacy software can be handwaved away and that all new projects are developed by people that not only are aware of the GDPR (that's an absurdly minuscule amount of all software developers) but that they are competent enough to fully comply with everything in it? I've worked on HIPAA-compliant software, I've seen people that have been working for years in the industry (both health and software) screwing up and/or making extremely close calls. This is not "escape user input in SQL calls", this is a sizeable piece of regulation without a clear course of action for compliance that will fall on the laps of developers of all skills around the world.
Also realistically storage has never been cheap - it’s just that historically the only people for whom it was expensive were the users.